Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 1, 2025, 9:59 a.m.	May 1, 2025, 10:02 a.m.

Size	426.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dc32ba80887418ea09295359cd843c2c`
SHA256	`7eadc82b0f376e2164df3361720fa159033fa724c2ce9ed47a051be9dcad2fbb`
CRC32	`F7D5F939`
ssdeep	`12288:I3sHTtT5wQo89cXyTIuz3TWwS0tcTGBNrw8M:IO5I89iawwSneNr2`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

budiao.exe "C:\Users\test22\AppData\Local\Temp\budiao.exe"
2548
- csrss2.exe C:\Users\test22\AppData\Local\Temp\csrss2.exe
  2600

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.nsp0
section	.nsp1
section	.nsp2

The executable uses a known packer (1 event)

packer

NsPack 2.9 -> North Star

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 1, 2025, 9:59 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2025, 9:59 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2025, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019b61c

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019b61c

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019b61c

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019bb0c

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019bb0c

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019bb0c

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019bb0c

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d214

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d364

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019d364

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019e5ac

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019eff4

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019f040

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019f040

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019f040

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019f078

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019f078

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019f078

size

0x00000014

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\csrss2.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\25261218\TemporaryFile\TemporaryFile

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW May 1, 2025, 9:59 a.m.	snapshot_handle: 0x00000158 process_name: wsqmcons.exe process_identifier: 2356	1	1
Process32NextW May 1, 2025, 9:59 a.m.	snapshot_handle: 0x00000158 process_name: budiao.exe process_identifier: 2548	1	1
Process32NextW May 1, 2025, 9:59 a.m.	snapshot_handle: 0x00000158 process_name: csrss2.exe process_identifier: 2600	1	1
Process32NextW May 1, 2025, 9:59 a.m.	snapshot_handle: 0x00000158 process_name: conhost.exe process_identifier: 2652	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006a488', u'virtual_address': u'0x001a0000', u'entropy': 7.978552583259067, u'name': u'.nsp1', u'virtual_size': u'0x0006b000'}

entropy

7.97855258326

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 1, 2025, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Bjlog.lzuS
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	TrojanDownloader.Upatre
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Trojan.Generic.37922939
Cylance	Unsafe
VIPRE	Trojan.Generic.37922939
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Trojan.Generic.37922939
K7GW	Trojan ( 005257651 )
K7AntiVirus	Trojan ( 005257651 )
Arcabit	Trojan.Generic.D242A87B
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.Win32.Upatre.gen
NANO-Antivirus	Trojan.Win32.Fsysna.knluax
MicroWorld-eScan	Trojan.Generic.37922939
Rising	Trojan.Fuerboos!8.EFC8 (TFE:5:IJSIEQzfFOS)
Emsisoft	Trojan.Generic.37922939 (B)
F-Secure	Heuristic.HEUR/AGEN.1359402
DrWeb	Trojan.PWS.Wsgame.55781
Zillya	Virus.Hupigon.Win32.5
TrendMicro	TROJ_GEN.R049C0RDM25
McAfeeD	Real Protect-LS!DC32BA808874
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Downloader.BindEx.ge
Webroot	W32.Malware.gen
Google	Detected
Avira	HEUR/AGEN.1359402
Antiy-AVL	Trojan[Backdoor]/Win32.Hupigon
Kingsoft	malware.kb.b.999
Gridinsoft	Malware.Win32.Gen.bot!se22135
Xcitium	Packed.Win32.MNSP.Gen@2697wr
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.Generic.37922939
Varist	W32/Downloader.AT.gen!Eldorado
McAfee	Artemis!DC32BA808874
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4220819643
Ikarus	Trojan.Crypt
Panda	Trj/GdSda.A

budiao.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All