Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 20, 2024, 9:36 a.m.	Aug. 20, 2024, 9:38 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bf038a5d89d10a8c54f9173ae6f1218d`
SHA256	`ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890`
CRC32	`5E77CF27`
ssdeep	`24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8agY86JDHZpZxXNGf8PA9kZKbv:VTvC/MTQYxsWR7agIJrZpfdGfsO`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

csrss.exe "C:\Users\test22\AppData\Local\Temp\csrss.exe"
2544
- csrss.exe "C:\Users\test22\AppData\Local\Temp\csrss.exe"
  2644
  - csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
    2696
    - csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
      2744
      - csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2796
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2840
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2884
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2952
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2996
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        3040
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        604
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2088
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2100
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2188
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2248
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2420
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2504
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2564
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2604
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2592
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2792
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2868
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        2944
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        3012
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        3060
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        828
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        1964
        
        csrss.exe "C:\Users\test22\AppData\Local\directory\csrss.exe"
        1812

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (28 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 9:36 a.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 83 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2544 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73452000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2644 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2644 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736d2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2696 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2696 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2744 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2744 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2796 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2796 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2840 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2840 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2884 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2884 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2952 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2952 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2996 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2996 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 3040 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 3040 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73802000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 604 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 604 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2088 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2088 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2100 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2100 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2188 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2188 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2248 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2248 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2420 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01060000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2420 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2504 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01060000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 20, 2024, 9:36 a.m.	process_identifier: 2504 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.vbs
file	C:\Users\test22\AppData\Local\directory\csrss.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\directory\csrss.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\directory\csrss.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007a200', u'virtual_address': u'0x000d4000', u'entropy': 7.931967544680059, u'name': u'.rsrc', u'virtual_size': u'0x0007a1d4'}

entropy

7.93196754468

description

A section with a high entropy has been found

entropy

0.362927191679

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.vbs

Created a process named as a common system process (28 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2648 thread_handle: 0x00000144 process_identifier: 2644 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\csrss.exe" filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000140	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2700 thread_handle: 0x00000140 process_identifier: 2696 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2748 thread_handle: 0x00000140 process_identifier: 2744 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2800 thread_handle: 0x00000140 process_identifier: 2796 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2844 thread_handle: 0x00000140 process_identifier: 2840 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2888 thread_handle: 0x00000140 process_identifier: 2884 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2956 thread_handle: 0x00000140 process_identifier: 2952 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 3000 thread_handle: 0x00000140 process_identifier: 2996 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 3044 thread_handle: 0x00000140 process_identifier: 3040 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 812 thread_handle: 0x00000140 process_identifier: 604 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 1384 thread_handle: 0x00000140 process_identifier: 2088 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 1484 thread_handle: 0x00000140 process_identifier: 2100 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2192 thread_handle: 0x00000140 process_identifier: 2188 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2244 thread_handle: 0x00000140 process_identifier: 2248 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2416 thread_handle: 0x00000140 process_identifier: 2420 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2492 thread_handle: 0x00000140 process_identifier: 2504 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2560 thread_handle: 0x00000140 process_identifier: 2564 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2596 thread_handle: 0x00000140 process_identifier: 2604 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2712 thread_handle: 0x00000140 process_identifier: 2592 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2812 thread_handle: 0x00000140 process_identifier: 2792 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2836 thread_handle: 0x00000140 process_identifier: 2868 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2936 thread_handle: 0x00000140 process_identifier: 2944 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 3008 thread_handle: 0x00000140 process_identifier: 3012 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 3052 thread_handle: 0x00000140 process_identifier: 3060 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 1656 thread_handle: 0x00000140 process_identifier: 828 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 1152 thread_handle: 0x00000140 process_identifier: 1964 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 1808 thread_handle: 0x00000140 process_identifier: 1812 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Aug. 20, 2024, 9:36 a.m.	thread_identifier: 2180 thread_handle: 0x00000140 process_identifier: 2172 current_directory: filepath: C:\Users\test22\AppData\Local\directory\csrss.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\directory\csrss.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Win64.Injects.ts93
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.TrojanAitInject.tc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
VirIT	Trojan.Win32.AutoIt_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.Autoit.GGI
McAfee	Artemis!BF038A5D89D1
Avast	FileRepMalware [Rat]
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Injector/Autoit!1.100B4 (CLASSIC)
DrWeb	Trojan.Inject5.2632
McAfeeD	Real Protect-LS!BF038A5D89D1
FireEye	Generic.mg.bf038a5d89d10a8c
Sophos	Mal/Generic-S
Google	Detected
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Remcos.tr
Microsoft	Trojan:Win32/Phonzy.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Backdoor.Remcos.TQULQQ
Varist	W32/AutoIt.ZL.gen!Eldorado
DeepInstinct	MALICIOUS
VBA32	Trojan-Downloader.Autoit.gen
Malwarebytes	Trojan.Injector.AutoIt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Injector.AAE!tr
AVG	FileRepMalware [Rat]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

csrss.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All