Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2021, 10:06 p.m.	Sept. 22, 2021, 10:25 p.m.

Size	2.1MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`31ce4f326c616ad189f2b03bdee1e20d`
SHA256	`cb2aff101fb0bdb70d2a113910feee36d63fb65fd9bcee5016b2338d318df67e`
CRC32	`FF9525DA`
ssdeep	`49152:zKP4T/U5f0IkgIedz0oZ34jhlOKCP5yhQmJNNAiXUn5TKPK6OvhMvC:84DUR53z4j7ODP5yDJ7Aikn5Tp6pvC`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

rsoft.exe "C:\Users\test22\AppData\Local\Temp\rsoft.exe"
620

Name	Response	Post-Analysis Lookup
telete.in	A 195.201.225.248	195.201.225.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.163.45.42	Active	Moloch
195.201.225.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49199 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	be:a6:3d:e8:93:c3:13:0b:5f:1d:3a:f7:63:57:4c:39:0e:96:df:5e

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Sept. 22, 2021, 10:06 p.m.	stacktrace: rsoft+0x427484 @ 0xfd7484 rsoft+0x427533 @ 0xfd7533 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1440644 registers.edi: 12865536 registers.eax: 1440644 registers.ebp: 1440724 registers.edx: 2130566132 registers.ebx: 1376299 registers.esi: 2000778283 registers.ecx: 4045012992	1
__exception__ Sept. 22, 2021, 10:06 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 a0 fc ee ff exception.symbol: rsoft+0x4619f8 exception.instruction: in eax, dx exception.module: rsoft.exe exception.exception_code: 0xc0000096 exception.offset: 4594168 exception.address: 0x10119f8 registers.esp: 1440764 registers.edi: 5976543 registers.eax: 1750617430 registers.ebp: 12865536 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Sept. 22, 2021, 10:06 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: rsoft+0x461a6c exception.instruction: in eax, dx exception.module: rsoft.exe exception.exception_code: 0xc0000096 exception.offset: 4594284 exception.address: 0x1011a6c registers.esp: 1440764 registers.edi: 5976543 registers.eax: 1447909480 registers.ebp: 12865536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.163.45.42/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://telete.in/uispolarkins2

Performs some HTTP requests (2 events)

request	POST http://185.163.45.42/
request	GET https://telete.in/uispolarkins2

Sends data using the HTTP POST Method (1 event)

request

POST http://185.163.45.42/

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 442368 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c37000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c3d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c3e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c35000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c35000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 442368 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:06 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c37000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rsoft.exe tried to sleep 210 seconds, actually delayed analysis time by 210 seconds

Foreign language identified in PE resource (50 out of 181 events)

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_CURSOR

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688870

size

0x00000134

name

RT_BITMAP

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688ba0

size

0x0003f4e8

name

RT_BITMAP

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688ba0

size

0x0003f4e8

name

RT_BITMAP

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688ba0

size

0x0003f4e8

name

RT_BITMAP

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x00688ba0

size

0x0003f4e8

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

name

RT_DIALOG

language

LANG_JAPANESE

filetype

empty

sublanguage

SUBLANG_DEFAULT

offset

0x006c89f4

size

0x00000034

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0020b000', u'virtual_address': u'0x00001000', u'entropy': 7.999921323862057, u'name': u'.MPRESS1', u'virtual_size': u'0x006d7000'}

entropy

7.99992132386

description

A section with a high entropy has been found

entropy

0.980318650422

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (1 event)

host

185.163.45.42

Checks for the presence of known windows from debuggers and forensic tools (50 out of 162 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 22, 2021, 10:06 p.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 22, 2021, 10:06 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 22, 2021, 10:06 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: rsoft+0x461a6c exception.instruction: in eax, dx exception.module: rsoft.exe exception.exception_code: 0xc0000096 exception.offset: 4594284 exception.address: 0x1011a6c registers.esp: 1440764 registers.edi: 5976543 registers.eax: 1447909480 registers.ebp: 12865536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46996618
FireEye	Trojan.GenericKD.46996618
Cylance	Unsafe
K7AntiVirus	Trojan ( 0057e7591 )
Alibaba	TrojanPSW:Win32/Racealer.f5298318
K7GW	Trojan ( 0057e7591 )
BitDefenderTheta	Gen:NN.ZexaF.34142.fovaaqqKQ41P
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenCBL.AMT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Racealer.lyu
BitDefender	Trojan.GenericKD.46996618
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.46996618
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.46996618 (B)
Avira	TR/Redcap.glfga
Microsoft	Trojan:Script/Phonzy.C!ml
GData	Win32.Trojan-Stealer.Racealer.F37PCZ
Cynet	Malicious (score: 99)
McAfee	Artemis!31CE4F326C61
MAX	malware (ai score=81)
VBA32	BScope.Trojan.Witch
Malwarebytes	Spyware.PasswordStealer
Ikarus	Trojan.Win32.Generic
Fortinet	Malicious_Behavior.SB
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)

rsoft.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All