Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 3, 2021, 1:14 p.m.	Dec. 3, 2021, 1:24 p.m.

Size	5.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`69a3d152861a94a8c8cf69faf4e1dfd7`
SHA256	`b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab`
CRC32	`F6510C20`
ssdeep	`98304:fZGjgLsNypdM5vw9d6ZSvThTOIfDiOj4siBZHMmq/pbOnpaRjPcuagrGqV3Un:fMjuhi5vQ6OhpssiBZHfpaPaKGqV3q`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

nereus.exe "C:\Users\test22\AppData\Local\Temp\nereus.exe"
2800
- abseilvp.exe "C:\Users\test22\AppData\Local\Temp\cantle\abseilvp.exe"
  2908
- toulon.exe "C:\Users\test22\AppData\Local\Temp\cantle\toulon.exe"
  2948
  - DpEditor.exe "C:\Users\test22\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
    3060

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
217.64.149.93	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 3, 2021, 1:14 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: abseilvp+0x2e9002 @ 0x4b9002 abseilvp+0x396140 @ 0x566140 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 10288820 registers.edi: 2068480 registers.eax: 10288820 registers.ebp: 10288900 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2003530795 registers.ecx: 1977679872	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 25 9f 01 00 c3 e9 a8 4b fa ff 74 09 df 52 exception.symbol: abseilvp+0x38f973 exception.instruction: in eax, dx exception.module: abseilvp.exe exception.exception_code: 0xc0000096 exception.offset: 3733875 exception.address: 0x55f973 registers.esp: 10288940 registers.edi: 14101944 registers.eax: 1750617430 registers.ebp: 2068480 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 05 cd 01 00 79 30 f3 7c 3f e3 ea 68 e9 55 exception.symbol: abseilvp+0x391f4b exception.instruction: in eax, dx exception.module: abseilvp.exe exception.exception_code: 0xc0000096 exception.offset: 3743563 exception.address: 0x561f4b registers.esp: 10288940 registers.edi: 14101944 registers.eax: 1447909480 registers.ebp: 2068480 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: toulon+0x3ad22e @ 0x173d22e toulon+0x3c119d @ 0x175119d exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 4586024 registers.edi: 20815872 registers.eax: 4586024 registers.ebp: 4586104 registers.edx: 2130566132 registers.ebx: 1992228838 registers.esi: 2003530795 registers.ecx: 1949237248	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 95 34 06 00 0c 00 00 00 2c de ab 68 e8 6b exception.symbol: toulon+0x348a8d exception.instruction: in eax, dx exception.module: toulon.exe exception.exception_code: 0xc0000096 exception.offset: 3443341 exception.address: 0x16d8a8d registers.esp: 4586144 registers.edi: 2239910 registers.eax: 1750617430 registers.ebp: 20815872 registers.edx: 2130532438 registers.ebx: 1992228838 registers.esi: 13 registers.ecx: 20	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 5c b7 fe ff c3 e9 37 c4 fe ff e1 8f 4a 25 exception.symbol: toulon+0x3b1c9a exception.instruction: in eax, dx exception.module: toulon.exe exception.exception_code: 0xc0000096 exception.offset: 3873946 exception.address: 0x1741c9a registers.esp: 4586144 registers.edi: 2239910 registers.eax: 1447909480 registers.ebp: 20815872 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: dpeditor+0x3ad22e @ 0x16ad22e dpeditor+0x3c119d @ 0x16c119d exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 3668984 registers.edi: 20226048 registers.eax: 3668984 registers.ebp: 3669064 registers.edx: 2130566132 registers.ebx: 1992228838 registers.esi: 2003530795 registers.ecx: 2631270400	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 95 34 06 00 0c 00 00 00 2c de ab 68 e8 6b exception.symbol: dpeditor+0x348a8d exception.instruction: in eax, dx exception.module: DpEditor.exe exception.exception_code: 0xc0000096 exception.offset: 3443341 exception.address: 0x1648a8d registers.esp: 3669104 registers.edi: 8007283 registers.eax: 1750617430 registers.ebp: 20226048 registers.edx: 2130532438 registers.ebx: 1992228838 registers.esi: 13 registers.ecx: 20	1
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 5c b7 fe ff c3 e9 37 c4 fe ff e1 8f 4a 25 exception.symbol: dpeditor+0x3b1c9a exception.instruction: in eax, dx exception.module: DpEditor.exe exception.exception_code: 0xc0000096 exception.offset: 3873946 exception.address: 0x16b1c9a registers.esp: 3669104 registers.edi: 8007283 registers.eax: 1447909480 registers.ebp: 20226048 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013cf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0133f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 3, 2021, 1:14 p.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b92000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\cantle\toulon.exe
file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Users\test22\AppData\Local\Temp\nsdE3AA.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\cantle\abseilvp.exe
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Users\test22\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
file	C:\Program Files (x86)\foler\olader\adprovider.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsdE3AA.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\cantle\toulon.exe
file	C:\Users\test22\AppData\Local\Temp\cantle\abseilvp.exe

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (1 event)

host

217.64.149.93

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Checks for the presence of known windows from debuggers and forensic tools (50 out of 186 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Dec. 3, 2021, 1:14 p.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 3, 2021, 1:14 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 3, 2021, 1:14 p.m.	stacktrace: exception.instruction_r: ed e9 05 cd 01 00 79 30 f3 7c 3f e3 ea 68 e9 55 exception.symbol: abseilvp+0x391f4b exception.instruction: in eax, dx exception.module: abseilvp.exe exception.exception_code: 0xc0000096 exception.offset: 3743563 exception.address: 0x561f4b registers.esp: 10288940 registers.edi: 14101944 registers.eax: 1447909480 registers.ebp: 2068480 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.28574
FireEye	Generic.mg.69a3d152861a94a8
ALYac	Gen:Variant.Doina.28574
Malwarebytes	Trojan.Dropper
Zillya	Dropper.Mine.Win32.155
Cybereason	malicious.2861a9
BitDefenderTheta	AI:Packer.255E98871E
Cyren	W32/Kryptik.FHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Doina.28574
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:CrypterX-gen [Trj]
Ad-Aware	Gen:Variant.Doina.28574
Emsisoft	Gen:Variant.Doina.28574 (B)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Sophos	Generic ML PUA (PUA)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.BSE.HLJWVB
AhnLab-V3	Dropper/Win.Agent.C4666344
MAX	malware (ai score=88)
VBA32	BScope.Trojan.Wacatac
Rising	Malware.Heuristic!ET#100% (RDMK:cmRtazoPOOH1SaXICMq1TPN5gmkU)
AVG	Win32:CrypterX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (D)

nereus.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All