Play interactive tourEdit tour

Analysis Report csrss.exe

Overview

General Information

Sample Name:csrss.exe
Analysis ID:339538
MD5:fd7d9bb7dc87ec1f9eb4bea4a2b1f599
SHA1:d309fd468186aece5ac95236fe43caf117b1ace1
SHA256:24a8019e1a5b4ffee8c7884fa515767d939a86ee3d378f1448dbe7730daffb3f

Most interesting Screenshot:

Detection

Glupteba
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Glupteba
Found Tor onion address
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
May use bcdedit to modify the Windows boot settings
One or more processes crash
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • csrss.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\csrss.exe' MD5: FD7D9BB7DC87EC1F9EB4BEA4A2B1F599)
    • WerFault.exe (PID: 6764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
csrss.exeJoeSecurity_GluptebaYara detected GluptebaJoe Security
    SourceRuleDescriptionAuthorStrings
    Process Memory Space: csrss.exe PID: 6712JoeSecurity_GluptebaYara detected GluptebaJoe Security
      SourceRuleDescriptionAuthorStrings
      0.0.csrss.exe.400000.0.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
        0.2.csrss.exe.400000.0.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: csrss.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: csrss.exeVirustotal: Detection: 43%Perma Link
          Yara detected Glupteba
          Source: Yara matchFile source: csrss.exe, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
          Source: Yara matchFile source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sample
          Source: csrss.exeJoe Sandbox ML: detected

          Bitcoin Miner:

          barindex
          Yara detected Glupteba
          Source: Yara matchFile source: csrss.exe, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
          Source: Yara matchFile source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: csrss.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED

          Networking:

          barindex
          Found Tor onion address
          Source: csrss.exe, 00000000.00000000.212853324.0000000000750000.00000002.00020000.sdmpString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject
          Source: csrss.exe, 00000000.00000000.212853324.0000000000750000.00000002.00020000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprocess is created WUPprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codeunexpected payload: %swirep: invalid p statewrite on closed bufferzero length BIT STRING into Go value of type %s/upload/%s/samples/%s) must be a power of 2
          Source: csrss.exe, 00000000.00000000.212853324.0000000000750000.00000002.00020000.sdmpString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObjectPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write t
          Source: csrss.exe, 00000000.00000000.212862901.0000000000769000.00000002.00020000.sdmpString found in binary or memory: sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not supported before TLS 1.2tls: peer doesn't support any common signature algorithmstls: server selected an invalid PSK and cipher suite pairtls: server sent an unnecessary HelloRetryRequest messageLynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8dMidori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2)Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16Value looks like object, but can't find closing '}' symbolhttp2: client connection force closed via ClientConn.Closejson: cannot set embedded pointer to unexported struct: %vruntime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequestELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41)HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\RunMozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5RoundTripper returned a response & error; ignoring responsebufio.Scanner: SplitFunc returns advance count beyond inputhttp2: Transport received Server's graceful shutdown GOAWAYsync/atomic: store of inconsistently typed value into Valuesync: WaitGroup is reused before previous Wait has returnedtls: server resumed a session with a different cipher suitetls: server selected TLS 1.3 using the legacy version fieldKonqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode)Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1archive/zip: TOC declares impossible %d files in %d byte zipmalformed response from server: missing status pseudo headernet/http: server response headers exceeded %d bytes; abortedtls: initial handshake had non-empty renegotiation extensiontls: no supported versions satisfy MinVersion and MaxVersionFeedFetcher-Google; ( http://www.google.com/feedfetcher.html)HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\ProcessesMozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoNokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0net/http: invalid Cookie.Domain %q; dropping domain attributetls: certificate private key does not implement crypto.Signertls: server sent a ServerHello extension forbidden in TLS 1.3tls: unsupported certificate: private key is %T, expected *%Tx509: failed to parse URI constraint %q: cannot be IP address0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZMozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0Mozilla/5.0 (Android; Mobile; rv:35.0) Gecko/35.0 Firefox/35.0Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0aNokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1Opera/9.80 (Window
          Source: csrss.exeString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject
          Source: csrss.exeString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprocess is created WUPprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codeunexpected payload: %swirep: invalid p statewrite on closed bufferzero length BIT STRING into Go value of type %s/upload/%s/samples/%s) must be a power of 2
          Source: csrss.exeString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't run cloudnetcouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObjectPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't hide cloudnetcouldn't register testcouldn't select objectcouldn't start servicecoulnd't write t
          Source: csrss.exeString found in binary or memory: sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not supported before TLS 1.2tls: peer doesn't support any common signature algorithmstls: server selected an invalid PSK and cipher suite pairtls: server sent an unnecessary HelloRetryRequest messageLynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8dMidori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2)Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16Value looks like object, but can't find closing '}' symbolhttp2: client connection force closed via ClientConn.Closejson: cannot set embedded pointer to unexported struct: %vruntime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequestELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41)HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\RunMozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5RoundTripper returned a response & error; ignoring responsebufio.Scanner: SplitFunc returns advance count beyond inputhttp2: Transport received Server's graceful shutdown GOAWAYsync/atomic: store of inconsistently typed value into Valuesync: WaitGroup is reused before previous Wait has returnedtls: server resumed a session with a different cipher suitetls: server selected TLS 1.3 using the legacy version fieldKonqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode)Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1archive/zip: TOC declares impossible %d files in %d byte zipmalformed response from server: missing status pseudo headernet/http: server response headers exceeded %d bytes; abortedtls: initial handshake had non-empty renegotiation extensiontls: no supported versions satisfy MinVersion and MaxVersionFeedFetcher-Google; ( http://www.google.com/feedfetcher.html)HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\ProcessesMozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoNokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0net/http: invalid Cookie.Domain %q; dropping domain attributetls: certificate private key does not implement crypto.Signertls: server sent a ServerHello extension forbidden in TLS 1.3tls: unsupported certificate: private key is %T, expected *%Tx509: failed to parse URI constraint %q: cannot be IP address0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZMozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0Mozilla/5.0 (Android; Mobile; rv:35.0) Gecko/35.0 Firefox/35.0Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0aNokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1Opera/9.80 (Window
          Source: csrss.exeString found in binary or memory: http://anydesk.cz/objednat
          Source: csrss.exeString found in binary or memory: http://duckduckgo.com/?q=http://www.google.com/?q=iTunes/9.0.2
          Source: csrss.exeString found in binary or memory: http://localhost:3433/icarus.tetradrachm.netidna:
          Source: csrss.exeString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
          Source: csrss.exeString found in binary or memory: http://search.msn.com/msnbot.htm)multipart/form-data
          Source: csrss.exeString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
          Source: csrss.exeString found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
          Source: csrss.exeString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
          Source: csrss.exeString found in binary or memory: http://www.google.ru/?hl=ru&q=illegal
          Source: csrss.exeString found in binary or memory: http://www.search.com/web?q=invalid
          Source: csrss.exeString found in binary or memory: https://2makestorage.comhttps://easywbdesign.comidna:
          Source: csrss.exeString found in binary or memory: https://babsitef.cominvalid
          Source: csrss.exeString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nel)
          Source: csrss.exeString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nel9
          Source: csrss.exeString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload-nelc
          Source: csrss.exeString found in binary or memory: https://beacons.gvt2.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons.gvt2.com/domainreliability/upload-nel:
          Source: csrss.exeString found in binary or memory: https://beacons.gvt2.com/domainreliability/upload-neld
          Source: csrss.exeString found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload-nel;X
          Source: csrss.exeString found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload-neleX
          Source: csrss.exeString found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload-nelfY
          Source: csrss.exeString found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nel-Y
          Source: csrss.exeString found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nel=Y
          Source: csrss.exeString found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload-nelgY
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload-nel.Y
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload-nelhY
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-nel/Y
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-nel?Y
          Source: csrss.exeString found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload-neliY
          Source: csrss.exeString found in binary or memory: https://blockchain.infoindex
          Source: csrss.exeString found in binary or memory: https://clients2.google.com/domainreliability/upload-nel
          Source: csrss.exeString found in binary or memory: https://clients2.google.com/domainreliability/upload-nel(Y
          Source: csrss.exeString found in binary or memory: https://clients2.google.com/domainreliability/upload-nel0Y
          Source: csrss.exeString found in binary or memory: https://clients2.google.com/domainreliability/upload-neljY
          Source: csrss.exeString found in binary or memory: https://easywbdesign.com/api/install-failureiTunes/4.2
          Source: csrss.exeString found in binary or memory: https://policies.google.com/privacy
          Source: csrss.exeString found in binary or memory: https://sndvoices.comimage:
          Source: csrss.exeString found in binary or memory: https://swebgames.site/smbid
          Source: csrss.exeString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)couldn
          Source: csrss.exeString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html

          E-Banking Fraud:

          barindex
          Yara detected Glupteba
          Source: Yara matchFile source: csrss.exe, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
          Source: Yara matchFile source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272
          Source: csrss.exe, 00000000.00000002.217676971.000000000090F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKernelbasej% vs csrss.exe
          Source: csrss.exe, 00000000.00000000.212802673.0000000000718000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemfps.dllj% vs csrss.exe
          Source: csrss.exeBinary or memory string: OriginalFilenamemfps.dllj% vs csrss.exe
          Source: csrss.exeBinary or memory string: OriginalFilenameKernelbasej% vs csrss.exe
          Source: csrss.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
          Source: csrss.exeBinary string: \Device\HarddiskVolume2\Users\LKDR\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\29bf4ec1aa2307ea_0b}
          Source: classification engineClassification label: mal76.troj.evad.winEXE@2/0@0/0
          Source: csrss.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\csrss.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: SELECT ALL id FROM %s;
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: SELECT ALL id FROM %s WHERE %s;
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
          Source: csrss.exe, 00000000.00000000.212740349.000000000070B000.00000002.00020000.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
          Source: csrss.exeVirustotal: Detection: 43%
          Source: csrss.exeString found in binary or memory: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe/bots/report-install37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemoryInfoGetWindowsDirectoryWGlobal\wupEvent31337IDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]asn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get DI bitscouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchdoublepulsar: %s: %selectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comevent does not existfloating point errorforcegc: phase errorgc_trigger underflowget-unverified-filesgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedhttps://babsitef.cominvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersmutex does not existno such struct fieldnon-empty swept listnot an integer classnot enough argumentsnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubregistry-get-startuproot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected method IDunexpected network: unknown address typeuser is not an adminwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found gp.gcscanvalid=true
          Source: csrss.exeString found in binary or memory: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe/bots/report-install37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemoryInfoGetWindowsDirectoryWGlobal\wupEvent31337IDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]asn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get DI bitscouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchdoublepulsar: %s: %selectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comevent does not existfloating point errorforcegc: phase errorgc_trigger underflowget-unverified-filesgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedhttps://babsitef.cominvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersmutex does not existno such struct fieldnon-empty swept listnot an integer classnot enough argumentsnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubregistry-get-startuproot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected method IDunexpected network: unknown address typeuser is not an adminwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found gp.gcscanvalid=true
          Source: csrss.exeString found in binary or memory: *,identity,gzip,deflate/bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainCreateProcessWithLogonWCreateProcessWithTokenWDeleteVolumeMountPointWDestroyEnvironmentBlockDownload Demon/3.5.0.11E. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetLogicalDriveStringsWGetSidSubAuthorityCountGetSystemTimeAsFileTimeGlobal\Mp6c3Ygukx29GbDkGlobal\ewzy5hgt3x5sof4vGlobal\h48yorbq6rm87zotGlobal\y7ze3fznx1u0yc2zGreenland Standard TimeGreenwich Standard TimeImpersonateLoggedOnUserLogical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointOSArchitecture is emptyQueryServiceLockStatusWSERVER_TRAFFIC_SECRET_0SafeArrayCreateVectorExSetEnvironmentVariableWSetInformationJobObjectSetProcessPriorityBoostSetThreadExecutionStateSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVariant Also NegotiatesVariantTimeToSystemTimeVenezuela Standard TimeW. Europe Standard TimeWSAGetOverlappedResult
          Source: csrss.exeString found in binary or memory: *,identity,gzip,deflate/bots/scheduled-install23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainCreateProcessWithLogonWCreateProcessWithTokenWDeleteVolumeMountPointWDestroyEnvironmentBlockDownload Demon/3.5.0.11E. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetLogicalDriveStringsWGetSidSubAuthorityCountGetSystemTimeAsFileTimeGlobal\Mp6c3Ygukx29GbDkGlobal\ewzy5hgt3x5sof4vGlobal\h48yorbq6rm87zotGlobal\y7ze3fznx1u0yc2zGreenland Standard TimeGreenwich Standard TimeImpersonateLoggedOnUserLogical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointOSArchitecture is emptyQueryServiceLockStatusWSERVER_TRAFFIC_SECRET_0SafeArrayCreateVectorExSetEnvironmentVariableWSetInformationJobObjectSetProcessPriorityBoostSetThreadExecutionStateSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVariant Also NegotiatesVariantTimeToSystemTimeVenezuela Standard TimeW. Europe Standard TimeWSAGetOverlappedResultWest Asia Standard TimeWest Bank Standard Time" not found in registry", missing CPU support
          Source: csrss.exeString found in binary or memory: > (den<<shift)/2unable to get data structureunexpected end of JSON inputunexpected protocol version update couldn't execute file cannot be converted to type 45474735088646411895751953125Adobe Application Manager 2.0Central America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeGetSystemPreferredUILanguagesGetThreadPreferredUILanguagesGetVolumeInformationByHandleWHuffman table has zero lengthLockOSThread nesting overflowMicrosoft Security EssentialsMon, 02 Jan 2006 15:04:05 GMTMon, 02 Jan 2006 15:04:05 MSTMon, 02-Jan-2006 15:04:05 MSTN. Central Asia Standard TimeNon-Authoritative InformationNorth Asia East Standard TimeProxy Authentication RequiredSWbemServices has been closedScreaming Frog SEO Spider/8.1Standard VGA Graphics AdapterTime.UnmarshalBinary: no dataUnavailable For Legal ReasonsWinmonSystemMonitor-10-64.sysaddspecial on invalid pointerbad spectral selection boundsbufio.Scanner: token too longcouldn't create smb directorycouldn't get current filenamecouldn't listen and serve SMBcouldn't query service configcouldn't set servers versionscrypto/aes: invalid key size crypto/des: invalid key size crypto/rc4: invalid key size dup idle pconn %p in freelistelectrum.festivaldelhumor.orgelectrumx.electricnewyear.netexec: Wait was already calledfailed to copy old config: %wfailed to get MAC-address: %wfailed to get campaign ID: %wfailed to parse server %s: %wfailed to prepare command: %wfailed to set campaign ID: %wfailed to set secure boot: %wgc done but gcphase != _GCoffgfput: bad status (not Gdead)http2: client conn not usablehttp: idle connection timeoutinteger not minimally-encodedinternal error: took too muchinvalid character class rangeinvalid header field value %qinvalid length of trace eventio: read/write on closed pipeluma/chroma subsampling ratiomachine is not on the networkmime: invalid media parametermismatched local address typeneed padding in bucket (elem)no XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progresspadding contained in alphabetprotocol family not supportedreflect: Elem of invalid typereflect: Out of non-func typerepeated component identifierruntime.semasleep wait_failedruntime: impossible type kindruntime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: stat underflow: val runtime: sudog with non-nil cruntime: unknown pc in defer semacquire not on the G stackspecified name does not existstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtls: DialWithDialer timed outtls: invalid NextProtos valuetls: invalid client key sharetls: invalid server key sharetls: too many ignored recordstls: use of closed connectiontoo many open files in systemunknown IP protocol specifiedunknown certificate authorityx509: cannot parse URI %q: %sx509: cannot parse dnsName %qzero length OBJECT IDENTIFIERzip: FileHeader.Name too long (types from different scopes) in prepareForSweep; sweepge
          Source: csrss.exeString found in binary or memory: tls: client's Finished message is incorrecttls: received malformed key_share extensiontls: unsupported signature algorithm: %#04xtransform: inconsistent byte count returnedunknown runnable goroutine during bootstrapuuid: incorrect UUID length %d in string %qx509: Common Name is not a valid hostname: x509: failed to parse dnsName constraint %q using value obtained using unexported fieldHKEY_USERS\%s\Software\EpicNet Inc.\CloudNetMSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23Mozilla/4.77 [en] (X11; I; IRIX;64 6.5 IP30)cipher: NewGCM requires 128-bit block ciphercouldn't determine whether token is elevatedcouldn't determine whether user is admin: %scouldn't get scripthash transactions historycouldn't install WinmonProcessMonitor drivercrypto/sha256: invalid hash state identifiercrypto/sha512: invalid hash state identifierencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkhttp2: could not negotiate protocol mutuallyhttp2: invalid Connection request header: %qhttp: Request.ContentLength=%d with nil Bodyhttp: putIdleConn: too many idle connectionshttps://easywbdesign.com/api/install-failureiTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2)insufficient data for calculated length typemime: unexpected content after media subtypeout of memory allocating heap arena metadatareflect: funcLayout with interface receiver reflect: slice length out of range in SetLensmbtest %v is likely VULNERABLE to MS17-010!tls: failed to verify client's certificate: tls: invalid certificate signature algorithmtls: server sent an incorrect legacy versiontls: server's Finished message was incorrectuse of WriteTo with pre-connected connectionx509: internal error: cannot parse domain %q (Client.Timeout exceeded while reading body)((?:[0-9A-Fa-f]{2}[:-]){5}(?:[0-9A-Fa-f]{2}))Opera/9.20 (Macintosh; Intel Mac OS X; U; en)SELECT BuildNumber FROM Win32_OperatingSystemValue is number, but overflowed while parsingcannot send after transport endpoint shutdowncharacter string exceeds maximum length (255)context: internal error: missing cancel errorcouldn't determine whether service is runningexitsyscall: syscall frame is no longer validheapBitsSetType: called with non-pointer typehttp: no Client.Transport or DefaultTransporthttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.Opaque = %qjson.RawMessage: UnmarshalJSON on nil pointermath/big: cannot unmarshal %q into a *big.Intnet/http: internal error: connCount underflowparsing/packing of this section has completedreflect: internal error: invalid method indexreflect: nil type passed to Type.AssignableToruntime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicalx509: IP constraint contained invalid mask %xx509: certificate signed by unknown authorityzero length explicit tag was not an asn1.FlagELinks (0.4pre5; Linux 2.6.10-ac7 i686; 80x33)Mozilla/4.0 (PSP (PlayStation P
          Source: csrss.exeString found in binary or memory: 148.190.214.125.in-addr.arpa.
          Source: csrss.exeString found in binary or memory: /tmp/371638379/src/application/app/install.go
          Source: csrss.exeString found in binary or memory: /tmp/371638379/src/application/resilience/btcblockchain/address.go
          Source: unknownProcess created: C:\Users\user\Desktop\csrss.exe 'C:\Users\user\Desktop\csrss.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272
          Source: csrss.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: csrss.exeStatic file information: File size 7421952 > 1048576
          Source: csrss.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2bd000
          Source: csrss.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x30e000
          Source: csrss.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x146000
          Source: csrss.exeStatic PE information: section name: .symtab
          Source: csrss.exeBinary or memory string: flate: internal error: garbage collection scangcDrain phase incorrecthttp2: handler panickedhttp2: invalid trailershttp: request too largehttps://blockchain.infoindex out of range [%x]interrupted system callinvalid URI for requestinvalid escape sequenceinvalid m->lockedInt = json: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing 0xff00 sequencemissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffpoll signature verifiedprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallregistry: path is emptyruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: physPageSize= runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longservice needs an updatespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpected Huffman codeunexpected address typeunexpected map key typeunknown error code 0x%xunsupported certificatevarint integer overflowwork.nwait > work.nproc%s\Sysnative\bcdedit.exe/bots/post-ia-data?uuid=116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotGenerateConsoleCtrlEventGetProcessImageFileNameWGetSystemTimeAsFileTime
          Source: csrss.exeBinary or memory string: flate: internal error: garbage collection scangcDrain phase incorrecthttp2: handler panickedhttp2: invalid trailershttp: request too largehttps://blockchain.infoindex out of range [%x]interrupted system callinvalid URI for requestinvalid escape sequenceinvalid m->lockedInt = json: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing 0xff00 sequencemissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffpoll signature verifiedprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallregistry: path is emptyruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: physPageSize= runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longservice needs an updatespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpected Huffman codeunexpected address typeunexpected map key typeunknown error code 0x%xunsupported certificatevarint integer overflowwork.nwait > work.nproc%s\Sysnative\bcdedit.exe/bots/post-ia-data?uuid=116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotGenerateConsoleCtrlEventGetProcessImageFileNameWGetSystemTimeAsFileTimeGetUserProfileDirectoryWGetWindowThreadProcessIdMagallanes Standard TimeMontevideo Standard TimeMozilla/2.02E (Win95; U)North Asia Standard TimePacific SA Standard TimeQueryPerformanceCounterRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorUS Eastern Standard Time", required CPU feature
          Source: C:\Users\user\Desktop\csrss.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: csrss.exeBinary or memory string: , S.BASE()=, S.NPAGES=, SETTINGS:.WITHCANCEL/API/REPORT/APP/VC.EXE/DEV/STDERR/DEV/STDOUT/INDEX.HTML30517578125: FRAME.SP=; MAX-AGE=0<INVALID OPBAD GATEWAYBAD REQUESTCLASSHESIODCLOSEHANDLECLOSEWINDOWCOGETOBJECTCOOKIE.PATHCREATEFILEWDELETEFILEWDISPLAYNAMEE-X.NOT.FYIENABLE_PUSHEND_HEADERSEARLY HINTSENUMWINDOWSEXITPROCESSFREELIBRARYGOTRACEBACKGETFILESIZEGETFILETYPEGETMESSAGEWHTTPS_PROXYISO 8859-10ISO 8859-13ISO 8859-14ISO 8859-15ISO 8859-16ISO-8859-6EISO-8859-6IISO-8859-8EISO-8859-8IIDEOGRAPHICIN-REPLY-TOINSTCAPTUREINSTRUNEANYINSTALLDATEMACHINEGUIDMEDEFAIDRINMESSAGEBOXWMOVEFILEEXWNETSHAREADDNETSHAREDELNEW_TAI_LUEOLD_PERSIANOLD_SOGDIANOPENPROCESSPRIVATE KEYPAU_CIN_HAUREAD %Q: %VREGCLOSEKEYRETURN-PATHSYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDERWINDOWS 874[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONATTACK_TYPEBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGETPEERNAMEGETSOCKNAMEHOST IS NILHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTNOTIFY-HOSTORANNIS.COMRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECUR32.DLLSHELL32.DLLSHORT WRITETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUPDATE-DATAUPLOAD-FILEUSERENV.DLLVERSION=177VM DETECTEDVMUSRVC.EXEWININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: csrss.exeBinary or memory string: unknown network verify-signatureworkbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%d-%02d-%02d %02d/bots/update-data0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCreateStdDispatchData[compaign_id]DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIBM Code Page 037IBM Code Page 437IBM Code Page 850IBM Code Page 852IBM Code Page 855IBM Code Page 860IBM Code Page 862IBM Code Page 863IBM Code Page 865IBM Code Page 866If-Modified-SinceLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't hide WUPcouldn't hide appcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfilename is emptyfractional secondget-logfile-proxygp.waiting != nilgroom_allocationshandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunexpected app IDunknown caller pcwait for GC cyclewine_get_version
          Source: csrss.exeBinary or memory string: is unavailable%d smbtest done()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCDN updated: %sCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWData[exploited]DefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommandLineWGetProcessTimesGetSecurityInfoGetStartupInfoWHanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
          Source: csrss.exeBinary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
          Source: csrss.exeBinary or memory string: entersyscalleternalblue:event-existsexit status found av: %sgcpacertraceget_app_namegetaddrinfowgot TI tokenhost is downhttp2debug=1http2debug=2illegal seekinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmutex-existsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangepointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffertransmitfileulrichard.chunexpected )unknown portunknown typeurl is emptyvmtoolsd.exewatchdog.exewinlogon.exewirep: p->m=wtsapi32.dll != sweepgen MB released
          Source: csrss.exeBinary or memory string: unixpacketunknown pcupdate-cdnuser-agentuser32.dllvmsrvc.exewildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
          Source: csrss.exeBinary or memory string: , s.base()=, s.npages=, settings:.WithCancel/api/report/app/vc.exe/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad GatewayBad RequestClassHESIODCloseHandleCloseWindowCoGetObjectCookie.PathCreateFileWDeleteFileWDisplayNameE-X.not.fyiENABLE_PUSHEND_HEADERSEarly HintsEnumWindowsExitProcessFreeLibraryGOTRACEBACKGetFileSizeGetFileTypeGetMessageWHTTPS_PROXYISO 8859-10ISO 8859-13ISO 8859-14ISO 8859-15ISO 8859-16ISO-8859-6EISO-8859-6IISO-8859-8EISO-8859-8IIdeographicIn-Reply-ToInstCaptureInstRuneAnyInstallDateMachineGuidMedefaidrinMessageBoxWMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRead %q: %vRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefenderWindows 874[:^xdigit:]\dsefix.exealarm clockapplicationattack_typebad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamehost is nilhttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextnotify-hostorannis.comraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableupdate-dataupload-fileuserenv.dllversion=177vm detectedvmusrvc.exewininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
          Source: csrss.exeBinary or memory string: /app/app.exe100-continue152587890625762939453125Bidi_ControlCDN is emptyCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocWindows 1250Windows 1251Windows 1252Windows 1253Windows 1254Windows 1255Windows 1256Windows 1257Windows 1258Winmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycloudnet.execontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
          Source: C:\Users\user\Desktop\csrss.exeProcess queried: DebugPortJump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

          Stealing of Sensitive Information:

          barindex
          Yara detected Glupteba
          Source: Yara matchFile source: csrss.exe, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
          Source: Yara matchFile source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected Glupteba
          Source: Yara matchFile source: csrss.exe, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 6712, type: MEMORY
          Source: Yara matchFile source: 0.0.csrss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Bootkit1Process Injection1Bootkit1OS Credential DumpingSecurity Software Discovery111Remote ServicesData from Local SystemExfiltration Over Other Network MediumProxy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 339538 Sample: csrss.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 76 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected Glupteba 2->14 16 3 other signatures 2->16 6 csrss.exe 2->6         started        process3 process4 8 WerFault.exe 6->8         started       

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand
          SourceDetectionScannerLabelLink
          csrss.exe44%VirustotalBrowse
          csrss.exe100%AviraTR/Crypt.XPACK.Gen
          csrss.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLinkDownload
          0.2.csrss.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.0.csrss.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          https://babsitef.cominvalid0%Avira URL Cloudsafe
          https://beacons5.gvt3.com/domainreliability/upload-neliY0%Avira URL Cloudsafe
          https://beacons5.gvt3.com/domainreliability/upload-nel/Y0%Avira URL Cloudsafe
          https://easywbdesign.com/api/install-failureiTunes/4.20%Avira URL Cloudsafe
          https://beacons4.gvt2.com/domainreliability/upload-nel-Y0%Avira URL Cloudsafe
          https://beacons5.gvt2.com/domainreliability/upload-nel.Y0%Avira URL Cloudsafe
          https://2makestorage.comhttps://easywbdesign.comidna:0%Avira URL Cloudsafe
          https://beacons.gcp.gvt2.com/domainreliability/upload-nel)0%Avira URL Cloudsafe
          https://beacons3.gvt2.com/domainreliability/upload-nelfY0%Avira URL Cloudsafe
          https://beacons2.gvt2.com/domainreliability/upload-neleX0%Avira URL Cloudsafe
          https://beacons4.gvt2.com/domainreliability/upload-nelgY0%Avira URL Cloudsafe
          https://beacons5.gvt2.com/domainreliability/upload-nelhY0%Avira URL Cloudsafe
          https://beacons.gcp.gvt2.com/domainreliability/upload-nel90%Avira URL Cloudsafe
          http://anydesk.cz/objednat0%Avira URL Cloudsafe
          https://beacons.gvt2.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          https://sndvoices.comimage:0%Avira URL Cloudsafe
          https://beacons.gvt2.com/domainreliability/upload-nel:0%Avira URL Cloudsafe
          https://swebgames.site/smbid0%Avira URL Cloudsafe
          https://blockchain.infoindex0%Avira URL Cloudsafe
          https://beacons.gcp.gvt2.com/domainreliability/upload-nelc0%Avira URL Cloudsafe
          http://www.avantbrowser.com)MOT-V9mm/00.620%Avira URL Cloudsafe
          https://beacons.gvt2.com/domainreliability/upload-neld0%Avira URL Cloudsafe
          https://beacons5.gvt3.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          https://beacons5.gvt3.com/domainreliability/upload-nel?Y0%Avira URL Cloudsafe
          https://beacons2.gvt2.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          https://beacons4.gvt2.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          https://beacons4.gvt2.com/domainreliability/upload-nel=Y0%Avira URL Cloudsafe
          https://beacons.gcp.gvt2.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          https://beacons2.gvt2.com/domainreliability/upload-nel;X0%Avira URL Cloudsafe
          https://beacons3.gvt2.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          https://beacons5.gvt2.com/domainreliability/upload-nel0%Avira URL Cloudsafe
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          https://babsitef.cominvalidcsrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://beacons5.gvt3.com/domainreliability/upload-neliYcsrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://beacons5.gvt3.com/domainreliability/upload-nel/Ycsrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://easywbdesign.com/api/install-failureiTunes/4.2csrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://beacons4.gvt2.com/domainreliability/upload-nel-Ycsrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://beacons5.gvt2.com/domainreliability/upload-nel.Ycsrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://2makestorage.comhttps://easywbdesign.comidna:csrss.exefalse
          • Avira URL Cloud: safe
          unknown
          https://beacons.gcp.gvt2.com/domainreliability/upload-nel)csrss.exefalse
          • Avira URL Cloud: safe
          unknown
          http://search.msn.com/msnbot.htm)msnbot/1.1csrss.exefalse
            high
            https://beacons3.gvt2.com/domainreliability/upload-nelfYcsrss.exefalse
            • Avira URL Cloud: safe
            unknown
            https://beacons2.gvt2.com/domainreliability/upload-neleXcsrss.exefalse
            • Avira URL Cloud: safe
            unknown
            https://beacons4.gvt2.com/domainreliability/upload-nelgYcsrss.exefalse
            • Avira URL Cloud: safe
            unknown
            https://beacons5.gvt2.com/domainreliability/upload-nelhYcsrss.exefalse
            • Avira URL Cloud: safe
            unknown
            http://www.google.ru/?hl=ru&q=illegalcsrss.exefalse
              high
              https://beacons.gcp.gvt2.com/domainreliability/upload-nel9csrss.exefalse
              • Avira URL Cloud: safe
              unknown
              http://www.search.com/web?q=invalidcsrss.exefalse
                high
                http://anydesk.cz/objednatcsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://beacons.gvt2.com/domainreliability/upload-nelcsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://sndvoices.comimage:csrss.exetrue
                • Avira URL Cloud: safe
                unknown
                https://beacons.gvt2.com/domainreliability/upload-nel:csrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://swebgames.site/smbidcsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://blockchain.infoindexcsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://beacons.gcp.gvt2.com/domainreliability/upload-nelccsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                http://www.avantbrowser.com)MOT-V9mm/00.62csrss.exefalse
                • Avira URL Cloud: safe
                low
                https://beacons.gvt2.com/domainreliability/upload-neldcsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://beacons5.gvt3.com/domainreliability/upload-nelcsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://beacons5.gvt3.com/domainreliability/upload-nel?Ycsrss.exefalse
                • Avira URL Cloud: safe
                unknown
                https://turnitin.com/robot/crawlerinfo.html)couldncsrss.exefalse
                  high
                  http://search.msn.com/msnbot.htm)multipart/form-datacsrss.exefalse
                    high
                    https://beacons2.gvt2.com/domainreliability/upload-nelcsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://beacons4.gvt2.com/domainreliability/upload-nelcsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://beacons4.gvt2.com/domainreliability/upload-nel=Ycsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://beacons.gcp.gvt2.com/domainreliability/upload-nelcsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://beacons2.gvt2.com/domainreliability/upload-nel;Xcsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://beacons3.gvt2.com/domainreliability/upload-nelcsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://beacons5.gvt2.com/domainreliability/upload-nelcsrss.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:31.0.0 Red Diamond
                    Analysis ID:339538
                    Start date:14.01.2021
                    Start time:09:21:56
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 2m 38s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:csrss.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:3
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.evad.winEXE@2/0@0/0
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:Failed
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated
                    Warnings:
                    • Exclude process from analysis (whitelisted): WerFault.exe
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    No context
                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Entropy (8bit):4.392288563125174
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • VXD Driver (31/22) 0.00%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:csrss.exe
                    File size:7421952
                    MD5:fd7d9bb7dc87ec1f9eb4bea4a2b1f599
                    SHA1:d309fd468186aece5ac95236fe43caf117b1ace1
                    SHA256:24a8019e1a5b4ffee8c7884fa515767d939a86ee3d378f1448dbe7730daffb3f
                    SHA512:91784903476d352c005119f19605e57c69ad060841cb74ff5e04c4e030eae5b27d9be6cb7df5d3d3d748d14d216512aeb6f32da18a4107b7e2451ec7492fb702
                    SSDEEP:49152:Qx7mw76PVQcJvT5u8j0ZHS+YLg0wyGRMjYqUIX8VcqeAq7SBq9iPTmo:Qx53G10Zz0RGRMJJbo
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........o...............+...................\...@..........................@q............................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    General

                    Entrypoint:0x4515a0
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:1
                    File Version Major:6
                    File Version Minor:1
                    Subsystem Version Major:6
                    Subsystem Version Minor:1
                    Import Hash:1cd364a9e949d5ecebd6c614e64bc545
                    Instruction
                    jmp 00007FB1D0AD6070h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    mov ebx, dword ptr [esp+04h]
                    mov dword ptr fs:[00000034h], 00000000h
                    mov ebp, esp
                    mov ecx, dword ptr [ebx+04h]
                    mov eax, ecx
                    shl eax, 02h
                    sub esp, eax
                    mov edi, esp
                    mov esi, dword ptr [ebx+08h]
                    cld
                    rep movsd
                    call dword ptr [ebx]
                    mov esp, ebp
                    mov ebx, dword ptr [esp+04h]
                    mov dword ptr [ebx+0Ch], eax
                    mov dword ptr [ebx+10h], edx
                    mov eax, dword ptr fs:[00000034h]
                    mov dword ptr [ebx+14h], eax
                    ret
                    int3
                    int3
                    int3
                    int3
                    sub esp, 18h
                    mov dword ptr [esp], FFFFFFF4h
                    mov ebp, esp
                    call dword ptr [009CC068h]
                    mov esp, ebp
                    mov dword ptr [esp], eax
                    mov edx, 00B0E440h
                    mov dword ptr [esp+04h], edx
                    mov edx, dword ptr [00B0DFA4h]
                    mov dword ptr [esp+08h], edx
                    lea edx, dword ptr [esp+14h]
                    mov dword ptr [edx], 00000000h
                    mov dword ptr [esp+0Ch], edx
                    mov dword ptr [esp+10h], 00000000h
                    call dword ptr [009CC020h]
                    mov esi, ebp
                    add esp, 18h
                    ret
                    int3
                    int3
                    int3
                    int3
                    mov eax, dword ptr fs:[00000034h]
                    mov dword ptr [esp+04h], eax
                    ret
                    int3
                    int3
                    int3
                    int3
                    mov ecx, dword ptr [esp+04h]
                    sub esp, 28h
                    mov dword ptr [esp+1Ch], ebx
                    mov dword ptr [esp+10h], ebp
                    mov dword ptr [esp+14h], esi
                    mov dword ptr [esp+18h], edi
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7120000x330.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x5cc0200x84.data
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x2bd0000x2bd000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x2be0000x30e0000x30e000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x5cc0000x1460000x146000False0.451563548457data5.58053972832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .idata0x7120000x10000x1000False0.112060546875data1.41188500771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .symtab0x7130000x10000x1000False0.0068359375data0.0032818649698IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    DLLImport
                    kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, LoadLibraryA, LoadLibraryW, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatus, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    CPU Usage

                    0510s020406080100

                    Click to jump to process

                    Memory Usage

                    0510s0.00510MB

                    Click to jump to process

                    Behavior

                    Click to jump to process

                    System Behavior

                    Start time:09:22:50
                    Start date:14/01/2021
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 272
                    Imagebase:0x270000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis