Click to jump to signature section
Source: Submited Sample | Integrated Neural Analysis Model: Matched 83.6% probability |
Source: file.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: unknown | HTTPS traffic detected: 104.21.29.144:443 -> 192.168.2.6:49722 version: TLS 1.2 |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.dr |
Source: | DNS query: pleasuresky.xyz |
Source: Joe Sandbox View | ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | HTTP traffic detected: GET /pe/start/index.php?a=2927&p=4143&t=51166691 HTTP/1.1Accept: */*User-Agent: InnoDownloadPlugin/1.5Host: pleasuresky.xyzConnection: Keep-AliveCache-Control: no-cache |
Source: global traffic | DNS traffic detected: DNS query: pleasuresky.xyz |
Source: file.tmp, 00000003.00000002.2520555768.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.dr | String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin |
Source: file.tmp, 00000003.00000002.2520555768.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.dr | String found in binary or memory: http://mitrichsoftware.wordpress.comB |
Source: file.exe | String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU |
Source: file.tmp, 00000003.00000003.2515567178.0000000000975000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.000000000097C000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2521163705.00000000009C6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/ |
Source: file.tmp, 00000003.00000003.2515567178.0000000000975000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.000000000097C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/e |
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/osoft |
Source: file.exe, 00000002.00000003.2522338093.00000000022C2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2463639875.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2468497492.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.000000000099E000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2519669526.0000000000C51000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2519669526.0000000000C6E000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009A4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691 |
Source: file.tmp, 00000003.00000003.2518734526.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009A4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=511666918 |
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691Authority |
Source: file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691D4 |
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691l |
Source: file.tmp, 00000003.00000002.2521163705.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2509130510.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000003.2518734526.00000000009CB000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://pleasuresky.xyz/pe/start/index.php?a=2927&p=4143&t=51166691yv |
Source: file.exe, 00000002.00000003.2464708641.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2465108220.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000000.2467127389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.2.dr | String found in binary or memory: https://www.innosetup.com/ |
Source: file.exe, 00000002.00000003.2464708641.0000000002570000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000002.00000003.2465108220.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000000.2467127389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.2.dr | String found in binary or memory: https://www.remobjects.com/ps |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49722 |
Source: unknown | Network traffic detected: HTTP traffic on port 49724 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49722 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49724 |
Source: unknown | HTTPS traffic detected: 104.21.29.144:443 -> 192.168.2.6:49722 version: TLS 1.2 |
Source: file.tmp.2.dr | Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows |
Source: file.exe, 00000002.00000003.2465108220.000000007FE35000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFileName vs file.exe |
Source: file.exe, 00000002.00000003.2464708641.0000000002668000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFileName vs file.exe |
Source: file.exe, 00000002.00000003.2522338093.00000000022D8000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamekernel32j% vs file.exe |
Source: file.exe, 00000002.00000000.2463344098.00000000004C6000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFileName vs file.exe |
Source: file.exe | Binary or memory string: OriginalFileName vs file.exe |
Source: file.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: classification engine | Classification label: mal52.troj.winEXE@6/3@1/1 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03 |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat"" |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization | Jump to behavior |
Source: file.exe | String found in binary or memory: /LOADINF="filename" |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" | |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp" /SL5="$20406,922170,832512,C:\Users\user\Desktop\file.exe" | |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat"" | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp" /SL5="$20406,922170,832512,C:\Users\user\Desktop\file.exe" | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\geed.bat"" | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: netapi32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: netapi32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: wtsapi32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: shfolder.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: rstrtmgr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: cmdext.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner | Jump to behavior |
Source: file.exe | Static file information: File size 1764409 > 1048576 |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: file.tmp, 00000003.00000003.2518406621.0000000003870000.00000004.00001000.00020000.00000000.sdmp, idp.dll.3.dr |
Source: file.exe | Static PE information: section name: .didata |
Source: file.tmp.2.dr | Static PE information: section name: .didata |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | File created: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\idp.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | File created: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\_isetup\_setup64.tmp | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\idp.dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-UPQ01.tmp\file.tmp | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KP2VF.tmp\_isetup\_setup64.tmp | Jump to dropped file |
Source: file.tmp, 00000003.00000003.2515567178.0000000000982000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000003.00000002.2520878364.0000000000986000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW"~ |
Source: file.tmp, 00000003.00000003.2515567178.0000000000982000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: file.tmp, 00000003.00000002.2520878364.0000000000918000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW( |