ScreenShot
| Created | 2024.07.02 07:51 | Machine | s1_win7_x6403 |
| Filename | csrss.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | a273d142217177ab8013d6ebeafbc22f | ||
| sha256 | 3cb485a769f6e92536f586f2873bd6a4d8fb5b106773ac0a16a534ef351c0bf1 | ||
| ssdeep | 49152:zF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUYeaw1GxNOmUTREvS:nroA7PFdUC | ||
| imphash | 97f00b2383bd4369e5094078fdccae7a | ||
| impfuzzy | 96:eUadwKrVXbLC9uyAXWSXt7uiWYAFSCPjXxm9xcXAX1dH8XZQvyqOLyDQOAo:e1prVLLd9vX0ilArwFdcpSLQOAo | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140198000 AdjustTokenPrivileges
0x140198008 CreateWellKnownSid
0x140198010 DeregisterEventSource
0x140198018 DuplicateTokenEx
0x140198020 GetSecurityDescriptorLength
0x140198028 GetTokenInformation
0x140198030 GetWindowsAccountDomainSid
0x140198038 LookupPrivilegeValueW
0x140198040 OpenProcessToken
0x140198048 OpenThreadToken
0x140198050 RegCloseKey
0x140198058 RegCreateKeyExW
0x140198060 RegDeleteKeyExW
0x140198068 RegDeleteTreeW
0x140198070 RegDeleteValueW
0x140198078 RegEnumKeyExW
0x140198080 RegEnumValueW
0x140198088 RegFlushKey
0x140198090 RegOpenKeyExW
0x140198098 RegQueryInfoKeyW
0x1401980a0 RegQueryValueExW
0x1401980a8 RegSetValueExA
0x1401980b0 RegSetValueExW
0x1401980b8 RegisterEventSourceW
0x1401980c0 ReportEventW
0x1401980c8 RevertToSelf
0x1401980d0 SetThreadToken
crypt.dll
0x140198790 BCryptDestroyKey
0x140198798 BCryptEncrypt
0x1401987a0 BCryptGenRandom
0x1401987a8 BCryptOpenAlgorithmProvider
0x1401987b0 BCryptSetProperty
0x1401987b8 BCryptDecrypt
0x1401987c0 BCryptCloseAlgorithmProvider
0x1401987c8 BCryptImportKey
KERNEL32.dll
0x1401980e0 TlsFree
0x1401980e8 TlsSetValue
0x1401980f0 TlsGetValue
0x1401980f8 TlsAlloc
0x140198100 InitializeCriticalSectionAndSpinCount
0x140198108 EncodePointer
0x140198110 RaiseException
0x140198118 RtlPcToFileHeader
0x140198120 AllocConsole
0x140198128 CancelThreadpoolIo
0x140198130 CloseHandle
0x140198138 CloseThreadpoolIo
0x140198140 CompareStringEx
0x140198148 CompareStringOrdinal
0x140198150 CopyFileExW
0x140198158 CreateDirectoryW
0x140198160 CreateEventExW
0x140198168 CreateFileW
0x140198170 CreateProcessA
0x140198178 CreateSymbolicLinkW
0x140198180 CreateThreadpoolIo
0x140198188 DeleteCriticalSection
0x140198190 DeleteFileW
0x140198198 DeleteVolumeMountPointW
0x1401981a0 DeviceIoControl
0x1401981a8 DuplicateHandle
0x1401981b0 EnterCriticalSection
0x1401981b8 EnumCalendarInfoExEx
0x1401981c0 EnumTimeFormatsEx
0x1401981c8 ExitProcess
0x1401981d0 ExpandEnvironmentStringsW
0x1401981d8 FileTimeToSystemTime
0x1401981e0 FindClose
0x1401981e8 FindFirstFileExW
0x1401981f0 FindNLSStringEx
0x1401981f8 FindNextFileW
0x140198200 FindStringOrdinal
0x140198208 FlushFileBuffers
0x140198210 FormatMessageW
0x140198218 FreeConsole
0x140198220 FreeLibrary
0x140198228 GetCPInfo
0x140198230 GetCalendarInfoEx
0x140198238 GetConsoleOutputCP
0x140198240 GetConsoleWindow
0x140198248 GetCurrentProcess
0x140198250 GetCurrentProcessId
0x140198258 GetCurrentProcessorNumberEx
0x140198260 GetCurrentThread
0x140198268 GetDynamicTimeZoneInformation
0x140198270 GetEnvironmentVariableW
0x140198278 GetFileAttributesExW
0x140198280 GetFileInformationByHandle
0x140198288 GetFileInformationByHandleEx
0x140198290 GetFileType
0x140198298 GetFinalPathNameByHandleW
0x1401982a0 GetFullPathNameW
0x1401982a8 GetLastError
0x1401982b0 GetLocaleInfoEx
0x1401982b8 GetLogicalDrives
0x1401982c0 GetLongPathNameW
0x1401982c8 GetModuleFileNameW
0x1401982d0 GetModuleHandleA
0x1401982d8 GetOverlappedResult
0x1401982e0 GetProcAddress
0x1401982e8 GetStdHandle
0x1401982f0 GetSystemDirectoryW
0x1401982f8 GetSystemTime
0x140198300 GetThreadPriority
0x140198308 GetTickCount64
0x140198310 GetTimeZoneInformation
0x140198318 GetUserPreferredUILanguages
0x140198320 GetVolumeInformationW
0x140198328 InitializeConditionVariable
0x140198330 InitializeCriticalSection
0x140198338 IsDebuggerPresent
0x140198340 LCMapStringEx
0x140198348 LeaveCriticalSection
0x140198350 LoadLibraryExW
0x140198358 LocalAlloc
0x140198360 LocalFree
0x140198368 LocaleNameToLCID
0x140198370 MoveFileExW
0x140198378 MultiByteToWideChar
0x140198380 QueryPerformanceCounter
0x140198388 QueryPerformanceFrequency
0x140198390 RaiseFailFastException
0x140198398 ReadFile
0x1401983a0 RemoveDirectoryW
0x1401983a8 ReplaceFileW
0x1401983b0 ResetEvent
0x1401983b8 ResolveLocaleName
0x1401983c0 ResumeThread
0x1401983c8 SetEvent
0x1401983d0 SetFileAttributesW
0x1401983d8 SetFileInformationByHandle
0x1401983e0 SetLastError
0x1401983e8 SetThreadErrorMode
0x1401983f0 SetThreadPriority
0x1401983f8 Sleep
0x140198400 SleepConditionVariableCS
0x140198408 StartThreadpoolIo
0x140198410 SystemTimeToFileTime
0x140198418 TzSpecificLocalTimeToSystemTime
0x140198420 VirtualAlloc
0x140198428 VirtualFree
0x140198430 WaitForMultipleObjectsEx
0x140198438 WakeConditionVariable
0x140198440 WideCharToMultiByte
0x140198448 WriteFile
0x140198450 FlushProcessWriteBuffers
0x140198458 WaitForSingleObjectEx
0x140198460 RtlVirtualUnwind
0x140198468 RtlCaptureContext
0x140198470 RtlRestoreContext
0x140198478 VerSetConditionMask
0x140198480 AddVectoredExceptionHandler
0x140198488 FlsAlloc
0x140198490 FlsGetValue
0x140198498 FlsSetValue
0x1401984a0 CreateEventW
0x1401984a8 SwitchToThread
0x1401984b0 CreateThread
0x1401984b8 GetCurrentThreadId
0x1401984c0 SuspendThread
0x1401984c8 GetThreadContext
0x1401984d0 SetThreadContext
0x1401984d8 QueryInformationJobObject
0x1401984e0 GetModuleHandleW
0x1401984e8 GetModuleHandleExW
0x1401984f0 GetProcessAffinityMask
0x1401984f8 VerifyVersionInfoW
0x140198500 InitializeContext
0x140198508 GetEnabledXStateFeatures
0x140198510 SetXStateFeaturesMask
0x140198518 VirtualQuery
0x140198520 GetSystemTimeAsFileTime
0x140198528 InitializeCriticalSectionEx
0x140198530 DebugBreak
0x140198538 WaitForSingleObject
0x140198540 SleepEx
0x140198548 GlobalMemoryStatusEx
0x140198550 GetSystemInfo
0x140198558 GetLogicalProcessorInformation
0x140198560 GetLogicalProcessorInformationEx
0x140198568 GetLargePageMinimum
0x140198570 VirtualUnlock
0x140198578 VirtualAllocExNuma
0x140198580 IsProcessInJob
0x140198588 GetNumaHighestNodeNumber
0x140198590 GetProcessGroupAffinity
0x140198598 K32GetProcessMemoryInfo
0x1401985a0 RtlUnwindEx
0x1401985a8 InitializeSListHead
0x1401985b0 IsProcessorFeaturePresent
0x1401985b8 TerminateProcess
0x1401985c0 SetUnhandledExceptionFilter
0x1401985c8 UnhandledExceptionFilter
0x1401985d0 RtlLookupFunctionEntry
ole32.dll
0x1401987d8 CoTaskMemAlloc
0x1401987e0 CoTaskMemFree
0x1401987e8 CoUninitialize
0x1401987f0 CoWaitForMultipleHandles
0x1401987f8 CoInitializeEx
0x140198800 CoCreateGuid
0x140198808 CoGetApartmentType
USER32.dll
0x1401985e0 LoadStringW
api-ms-win-crt-math-l1-1-0.dll
0x140198640 __setusermatherr
0x140198648 floor
0x140198650 pow
0x140198658 modf
0x140198660 sin
0x140198668 cos
0x140198670 ceil
0x140198678 tan
api-ms-win-crt-heap-l1-1-0.dll
0x140198600 free
0x140198608 calloc
0x140198610 _set_new_mode
0x140198618 malloc
0x140198620 _callnewh
api-ms-win-crt-string-l1-1-0.dll
0x140198760 strncpy_s
0x140198768 strcpy_s
0x140198770 _stricmp
0x140198778 wcsncmp
0x140198780 strcmp
api-ms-win-crt-convert-l1-1-0.dll
0x1401985f0 strtoull
api-ms-win-crt-runtime-l1-1-0.dll
0x140198688 _register_thread_local_exe_atexit_callback
0x140198690 _c_exit
0x140198698 _cexit
0x1401986a0 __p___wargv
0x1401986a8 __p___argc
0x1401986b0 _exit
0x1401986b8 exit
0x1401986c0 _initterm_e
0x1401986c8 terminate
0x1401986d0 _crt_atexit
0x1401986d8 _initterm
0x1401986e0 _register_onexit_function
0x1401986e8 _get_initial_wide_environment
0x1401986f0 abort
0x1401986f8 _initialize_onexit_table
0x140198700 _initialize_wide_environment
0x140198708 _configure_wide_argv
0x140198710 _seh_filter_exe
0x140198718 _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll
0x140198728 __stdio_common_vsscanf
0x140198730 __p__commode
0x140198738 __acrt_iob_func
0x140198740 __stdio_common_vfprintf
0x140198748 __stdio_common_vsprintf_s
0x140198750 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
0x140198630 _configthreadlocale
EAT(Export Address Table) Library
0x140241d50 DotNetRuntimeDebugHeader
ADVAPI32.dll
0x140198000 AdjustTokenPrivileges
0x140198008 CreateWellKnownSid
0x140198010 DeregisterEventSource
0x140198018 DuplicateTokenEx
0x140198020 GetSecurityDescriptorLength
0x140198028 GetTokenInformation
0x140198030 GetWindowsAccountDomainSid
0x140198038 LookupPrivilegeValueW
0x140198040 OpenProcessToken
0x140198048 OpenThreadToken
0x140198050 RegCloseKey
0x140198058 RegCreateKeyExW
0x140198060 RegDeleteKeyExW
0x140198068 RegDeleteTreeW
0x140198070 RegDeleteValueW
0x140198078 RegEnumKeyExW
0x140198080 RegEnumValueW
0x140198088 RegFlushKey
0x140198090 RegOpenKeyExW
0x140198098 RegQueryInfoKeyW
0x1401980a0 RegQueryValueExW
0x1401980a8 RegSetValueExA
0x1401980b0 RegSetValueExW
0x1401980b8 RegisterEventSourceW
0x1401980c0 ReportEventW
0x1401980c8 RevertToSelf
0x1401980d0 SetThreadToken
crypt.dll
0x140198790 BCryptDestroyKey
0x140198798 BCryptEncrypt
0x1401987a0 BCryptGenRandom
0x1401987a8 BCryptOpenAlgorithmProvider
0x1401987b0 BCryptSetProperty
0x1401987b8 BCryptDecrypt
0x1401987c0 BCryptCloseAlgorithmProvider
0x1401987c8 BCryptImportKey
KERNEL32.dll
0x1401980e0 TlsFree
0x1401980e8 TlsSetValue
0x1401980f0 TlsGetValue
0x1401980f8 TlsAlloc
0x140198100 InitializeCriticalSectionAndSpinCount
0x140198108 EncodePointer
0x140198110 RaiseException
0x140198118 RtlPcToFileHeader
0x140198120 AllocConsole
0x140198128 CancelThreadpoolIo
0x140198130 CloseHandle
0x140198138 CloseThreadpoolIo
0x140198140 CompareStringEx
0x140198148 CompareStringOrdinal
0x140198150 CopyFileExW
0x140198158 CreateDirectoryW
0x140198160 CreateEventExW
0x140198168 CreateFileW
0x140198170 CreateProcessA
0x140198178 CreateSymbolicLinkW
0x140198180 CreateThreadpoolIo
0x140198188 DeleteCriticalSection
0x140198190 DeleteFileW
0x140198198 DeleteVolumeMountPointW
0x1401981a0 DeviceIoControl
0x1401981a8 DuplicateHandle
0x1401981b0 EnterCriticalSection
0x1401981b8 EnumCalendarInfoExEx
0x1401981c0 EnumTimeFormatsEx
0x1401981c8 ExitProcess
0x1401981d0 ExpandEnvironmentStringsW
0x1401981d8 FileTimeToSystemTime
0x1401981e0 FindClose
0x1401981e8 FindFirstFileExW
0x1401981f0 FindNLSStringEx
0x1401981f8 FindNextFileW
0x140198200 FindStringOrdinal
0x140198208 FlushFileBuffers
0x140198210 FormatMessageW
0x140198218 FreeConsole
0x140198220 FreeLibrary
0x140198228 GetCPInfo
0x140198230 GetCalendarInfoEx
0x140198238 GetConsoleOutputCP
0x140198240 GetConsoleWindow
0x140198248 GetCurrentProcess
0x140198250 GetCurrentProcessId
0x140198258 GetCurrentProcessorNumberEx
0x140198260 GetCurrentThread
0x140198268 GetDynamicTimeZoneInformation
0x140198270 GetEnvironmentVariableW
0x140198278 GetFileAttributesExW
0x140198280 GetFileInformationByHandle
0x140198288 GetFileInformationByHandleEx
0x140198290 GetFileType
0x140198298 GetFinalPathNameByHandleW
0x1401982a0 GetFullPathNameW
0x1401982a8 GetLastError
0x1401982b0 GetLocaleInfoEx
0x1401982b8 GetLogicalDrives
0x1401982c0 GetLongPathNameW
0x1401982c8 GetModuleFileNameW
0x1401982d0 GetModuleHandleA
0x1401982d8 GetOverlappedResult
0x1401982e0 GetProcAddress
0x1401982e8 GetStdHandle
0x1401982f0 GetSystemDirectoryW
0x1401982f8 GetSystemTime
0x140198300 GetThreadPriority
0x140198308 GetTickCount64
0x140198310 GetTimeZoneInformation
0x140198318 GetUserPreferredUILanguages
0x140198320 GetVolumeInformationW
0x140198328 InitializeConditionVariable
0x140198330 InitializeCriticalSection
0x140198338 IsDebuggerPresent
0x140198340 LCMapStringEx
0x140198348 LeaveCriticalSection
0x140198350 LoadLibraryExW
0x140198358 LocalAlloc
0x140198360 LocalFree
0x140198368 LocaleNameToLCID
0x140198370 MoveFileExW
0x140198378 MultiByteToWideChar
0x140198380 QueryPerformanceCounter
0x140198388 QueryPerformanceFrequency
0x140198390 RaiseFailFastException
0x140198398 ReadFile
0x1401983a0 RemoveDirectoryW
0x1401983a8 ReplaceFileW
0x1401983b0 ResetEvent
0x1401983b8 ResolveLocaleName
0x1401983c0 ResumeThread
0x1401983c8 SetEvent
0x1401983d0 SetFileAttributesW
0x1401983d8 SetFileInformationByHandle
0x1401983e0 SetLastError
0x1401983e8 SetThreadErrorMode
0x1401983f0 SetThreadPriority
0x1401983f8 Sleep
0x140198400 SleepConditionVariableCS
0x140198408 StartThreadpoolIo
0x140198410 SystemTimeToFileTime
0x140198418 TzSpecificLocalTimeToSystemTime
0x140198420 VirtualAlloc
0x140198428 VirtualFree
0x140198430 WaitForMultipleObjectsEx
0x140198438 WakeConditionVariable
0x140198440 WideCharToMultiByte
0x140198448 WriteFile
0x140198450 FlushProcessWriteBuffers
0x140198458 WaitForSingleObjectEx
0x140198460 RtlVirtualUnwind
0x140198468 RtlCaptureContext
0x140198470 RtlRestoreContext
0x140198478 VerSetConditionMask
0x140198480 AddVectoredExceptionHandler
0x140198488 FlsAlloc
0x140198490 FlsGetValue
0x140198498 FlsSetValue
0x1401984a0 CreateEventW
0x1401984a8 SwitchToThread
0x1401984b0 CreateThread
0x1401984b8 GetCurrentThreadId
0x1401984c0 SuspendThread
0x1401984c8 GetThreadContext
0x1401984d0 SetThreadContext
0x1401984d8 QueryInformationJobObject
0x1401984e0 GetModuleHandleW
0x1401984e8 GetModuleHandleExW
0x1401984f0 GetProcessAffinityMask
0x1401984f8 VerifyVersionInfoW
0x140198500 InitializeContext
0x140198508 GetEnabledXStateFeatures
0x140198510 SetXStateFeaturesMask
0x140198518 VirtualQuery
0x140198520 GetSystemTimeAsFileTime
0x140198528 InitializeCriticalSectionEx
0x140198530 DebugBreak
0x140198538 WaitForSingleObject
0x140198540 SleepEx
0x140198548 GlobalMemoryStatusEx
0x140198550 GetSystemInfo
0x140198558 GetLogicalProcessorInformation
0x140198560 GetLogicalProcessorInformationEx
0x140198568 GetLargePageMinimum
0x140198570 VirtualUnlock
0x140198578 VirtualAllocExNuma
0x140198580 IsProcessInJob
0x140198588 GetNumaHighestNodeNumber
0x140198590 GetProcessGroupAffinity
0x140198598 K32GetProcessMemoryInfo
0x1401985a0 RtlUnwindEx
0x1401985a8 InitializeSListHead
0x1401985b0 IsProcessorFeaturePresent
0x1401985b8 TerminateProcess
0x1401985c0 SetUnhandledExceptionFilter
0x1401985c8 UnhandledExceptionFilter
0x1401985d0 RtlLookupFunctionEntry
ole32.dll
0x1401987d8 CoTaskMemAlloc
0x1401987e0 CoTaskMemFree
0x1401987e8 CoUninitialize
0x1401987f0 CoWaitForMultipleHandles
0x1401987f8 CoInitializeEx
0x140198800 CoCreateGuid
0x140198808 CoGetApartmentType
USER32.dll
0x1401985e0 LoadStringW
api-ms-win-crt-math-l1-1-0.dll
0x140198640 __setusermatherr
0x140198648 floor
0x140198650 pow
0x140198658 modf
0x140198660 sin
0x140198668 cos
0x140198670 ceil
0x140198678 tan
api-ms-win-crt-heap-l1-1-0.dll
0x140198600 free
0x140198608 calloc
0x140198610 _set_new_mode
0x140198618 malloc
0x140198620 _callnewh
api-ms-win-crt-string-l1-1-0.dll
0x140198760 strncpy_s
0x140198768 strcpy_s
0x140198770 _stricmp
0x140198778 wcsncmp
0x140198780 strcmp
api-ms-win-crt-convert-l1-1-0.dll
0x1401985f0 strtoull
api-ms-win-crt-runtime-l1-1-0.dll
0x140198688 _register_thread_local_exe_atexit_callback
0x140198690 _c_exit
0x140198698 _cexit
0x1401986a0 __p___wargv
0x1401986a8 __p___argc
0x1401986b0 _exit
0x1401986b8 exit
0x1401986c0 _initterm_e
0x1401986c8 terminate
0x1401986d0 _crt_atexit
0x1401986d8 _initterm
0x1401986e0 _register_onexit_function
0x1401986e8 _get_initial_wide_environment
0x1401986f0 abort
0x1401986f8 _initialize_onexit_table
0x140198700 _initialize_wide_environment
0x140198708 _configure_wide_argv
0x140198710 _seh_filter_exe
0x140198718 _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll
0x140198728 __stdio_common_vsscanf
0x140198730 __p__commode
0x140198738 __acrt_iob_func
0x140198740 __stdio_common_vfprintf
0x140198748 __stdio_common_vsprintf_s
0x140198750 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
0x140198630 _configthreadlocale
EAT(Export Address Table) Library
0x140241d50 DotNetRuntimeDebugHeader