Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 29, 2025, 10:24 a.m.	April 29, 2025, 10:38 a.m.

Size	400.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b2a7f546295db73e03a857810f9334dc`
SHA256	`5e783f136301a88a436b279a406650225df0f1ad54cb7cc92c7fee518daa6ec3`
CRC32	`7BB5162B`
ssdeep	`12288:RrC/RYEqX9wCLQXgdPLpAgXRQh8I3gG4:RcK9X7BkgX6hgG`
Yara	PE_Header_Zero - PE File Signature CoinMiner_IN - CoinMiner IsPE32 - (no description) UPX_Zero - UPX packed file

csr.bin "C:\Users\test22\AppData\Local\Temp\csr.bin"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	CODE
section	DATA

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 29, 2025, 10:24 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (50 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000fdb28

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000fdb28

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000fdb28

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff7b8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff7b8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff7b8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff7b8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100190

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff158

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff158

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000feca0

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00100ba8

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff870

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff870

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ff870

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0011b1d8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0011b1d8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0011b1d8

size

0x00000014

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\25261765\TemporaryFile\TemporaryFile

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (38 events)

Time & API	Arguments	Status	Return
Process32FirstW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: [System Process] process_identifier: 0	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: System process_identifier: 4	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: smss.exe process_identifier: 224	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: services.exe process_identifier: 444	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: pw.exe process_identifier: 988	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: wsqmcons.exe process_identifier: 2348	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: taskhost.exe process_identifier: 2380	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: sdclt.exe process_identifier: 2388	1	1
Process32NextW April 29, 2025, 10:24 a.m.	snapshot_handle: 0x00000154 process_name: csr.bin process_identifier: 2556	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00057600', u'virtual_address': u'0x000b7000', u'entropy': 7.925992429736249, u'name': u'DATA', u'virtual_size': u'0x00058000'}

entropy

7.92599242974

description

A section with a high entropy has been found

entropy

0.874843554443

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 29, 2025, 10:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst

reg_value

C:\Users\test22\AppData\Local\Temp\csr.bin

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Multi.Generic.mE1c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.17444789249334dc
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Gen:Variant.Barys.59148
Cylance	Unsafe
VIPRE	Gen:Variant.Barys.59148
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (W)
BitDefender	Gen:Variant.Barys.59148
K7GW	Trojan ( 005246d51 )
K7AntiVirus	Trojan ( 005246d51 )
Arcabit	Trojan.Barys.DE70C
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/FlyStudio.ORN
APEX	Malicious
Avast	MalwareX-gen [Misc]
ClamAV	Win.Malware.Babar-10034117-0
Kaspersky	HEUR:Trojan-Downloader.Win32.Agent.gen
Alibaba	TrojanDownloader:Win32/FlyStudio.09f20e8e
NANO-Antivirus	Trojan.Win32.BlackHole.hqumcr
MicroWorld-eScan	Gen:Variant.Barys.59148
Rising	Trojan.Occamy!8.F1CD (TFE:5:lbQiteBw5lK)
Emsisoft	Gen:Variant.Barys.59148 (B)
F-Secure	Trojan.TR/ATRAPS.Gen
DrWeb	Trojan.Siggen31.11387
McAfeeD	Real Protect-LS!B2A7F546295D
Trapmine	malicious.high.ml.score
CTX	exe.trojan.flystudio
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan[Packed]/Win32.FlyStudio
Gridinsoft	Trojan.Win32.Agent.sa
Xcitium	TrojWare.Win32.TrojanSpy.Banker.OV@6e1pyh
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win.Z.Barys.410112
GData	Gen:Variant.Barys.59148
Varist	W32/S-776111c5!Eldorado
McAfee	Artemis!B2A7F546295D
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Wacatac
Malwarebytes	MachineLearning/Anomalous.100%
Ikarus	PUA.BlackMoon
TrendMicro-HouseCall	TROJ_GEN.R002H09DC25
Tencent	Win32.Trojan-Downloader.Agent.Jajl
Yandex	Trojan.GenAsa!zBP+1MxmcWM

csr.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All