Edit tour

Windows Analysis Report
wubZB5Ar1r.exe

Overview

General Information

Sample name:	wubZB5Ar1r.exe renamed because original name is a hash value
Original sample name:	f2e35b7328c84a7c6719d237b43dce5d5f0268ea1bb4cb6f661393c5ff1f9f5d.exe
Analysis ID:	1631787
MD5:	34c1e2debc02eae2f3e460241f2b2805
SHA1:	6f7daa7605b7f38aa6bbdab61c7b36c4896aa83b
SHA256:	f2e35b7328c84a7c6719d237b43dce5d5f0268ea1bb4cb6f661393c5ff1f9f5d
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wubZB5Ar1r.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\wubZB5Ar1r.exe" MD5: 34C1E2DEBC02EAE2F3E460241F2B2805)

ramack.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\wubZB5Ar1r.exe" MD5: 34C1E2DEBC02EAE2F3E460241F2B2805)

RegSvcs.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\wubZB5Ar1r.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

ramack.exe (PID: 3900 cmdline: "C:\Users\user\AppData\Local\fricandeaus\ramack.exe" MD5: 34C1E2DEBC02EAE2F3E460241F2B2805)

RegSvcs.exe (PID: 6880 cmdline: "C:\Users\user\AppData\Local\fricandeaus\ramack.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6884 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ramack.exe (PID: 6912 cmdline: "C:\Users\user\AppData\Local\fricandeaus\ramack.exe" MD5: 34C1E2DEBC02EAE2F3E460241F2B2805)

RegSvcs.exe (PID: 1948 cmdline: "C:\Users\user\AppData\Local\fricandeaus\ramack.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1352723477.0000000003B30000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1321166995.0000000003730000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.1485213074.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40467:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40583:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40785:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000E.00000002.2519362195.00000000032BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1486295539.0000000003B20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f50d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f57f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f609:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f69b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f705:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f777:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f80d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f89d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000B.00000002.1489092598.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6880	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 1948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1948	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.ramack.exe.3730000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.ramack.exe.3b20000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.ramack.exe.3b30000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.43d2f90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.43d2f90.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.43d2f90.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.43d2f90.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d70d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d77f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d809:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d89b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d905:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d977:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3da0d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da9d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.2efef7e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2efef7e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.2efef7e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2efef7e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e5f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e667:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e6f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e783:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e7ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e85f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e8f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e985:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.2effe66.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2effe66.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.2effe66.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2effe66.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d70d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d77f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d809:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d89b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d905:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d977:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3da0d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da9d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.57c0ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.57c0ee8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.57c0ee8.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.57c0ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f50d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f57f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f609:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f69b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f705:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f777:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f80d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f89d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.2efef7e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2efef7e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.2efef7e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2efef7e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40467:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40583:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40785:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.4386458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.4386458.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.4386458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.4386458.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d70d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d77f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d809:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d89b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d905:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d977:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3da0d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da9d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.57c0ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.57c0ee8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.57c0ee8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.57c0ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d70d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d77f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d809:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d89b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d905:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d977:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3da0d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da9d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.5990000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.5990000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.5990000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.5990000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d70d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d77f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d809:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d89b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d905:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d977:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3da0d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3da9d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.5990000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.5990000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.5990000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.5990000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f50d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f57f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f609:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f69b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f705:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f777:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f80d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f89d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 95 88 44 24 2B 88 44 24 2F B0 07 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.57c0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.57c0000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.57c0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.57c0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40467:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40583:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40785:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.4386458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.4386458.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.4386458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.4386458.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f50d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c045:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f57f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c0b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f609:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c141:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f69b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c1d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f705:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c23d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f777:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c2af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f80d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c345:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f89d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8c3d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.43d2f90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.43d2f90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.4385570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.4385570.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.4385570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.43d2f90.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.4385570.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e5f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e667:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e6f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e783:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e7ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e85f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e8f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e985:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.43d2f90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f50d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f57f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f609:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f69b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f705:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f777:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f80d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f89d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.2effe66.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2effe66.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.2effe66.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2effe66.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f50d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f57f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f609:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f69b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f705:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f777:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f80d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f89d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.57c0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.57c0000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.57c0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.57c0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e5f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e667:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e6f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e783:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e7ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e85f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e8f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e985:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.4385570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.4385570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.4385570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.4385570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8cf2d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40467:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8cf9f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8d029:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40583:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d0bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d125:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d197:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d22d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40785:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d2bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 64 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" , ProcessId: 6884, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6880, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49688

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs" , ProcessId: 6884, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\fricandeaus\ramack.exe, ProcessId: 6272, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wubZB5Ar1r.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe

Avira: detection malicious, Label: HEUR/AGEN.1321671

Found malware configuration

Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: wubZB5Ar1r.exe	Virustotal: Detection: 57%			Perma Link
Source: wubZB5Ar1r.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: wubZB5Ar1r.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49689 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2518538506.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2522582110.0000000004292000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ramack.exe, 00000008.00000003.1319535438.00000000046D0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 00000008.00000003.1319284252.0000000004530000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1346854928.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1348744364.0000000004440000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1479903750.0000000004640000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1481993914.00000000044A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ramack.exe, 00000008.00000003.1319535438.00000000046D0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 00000008.00000003.1319284252.0000000004530000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1346854928.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1348744364.0000000004440000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1479903750.0000000004640000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1481993914.00000000044A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_00452492
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00442886
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_004788BD
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_004339B6
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	10_2_0045CAFA
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00431A86
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	10_2_0044BD27
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0045DE8F FindFirstFileW,FindClose,	10_2_0045DE8F
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_0044BF8B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.6:49688 -> 198.54.122.135:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 198.54.122.135 198.54.122.135

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49688 -> 198.54.122.135:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,

0_2_004422FE

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.privateemail.com

Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2517748334.000000000154D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 0000000B.00000002.1486502418.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftM
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 0000000B.00000002.1489092598.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2517748334.000000000154D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49689 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, SKTzxzsJw.cs

.Net Code: mWXy4

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0045A10F
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_0045A10F

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046DC80

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

0_2_0044C37A

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0047C81C
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_0047C81C

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.ramack.exe.3730000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.ramack.exe.3b20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.ramack.exe.3b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.1352723477.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.1321166995.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.1485213074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000D.00000002.1486295539.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00431BE8

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00446313

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004333BE
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		10_2_004333BE

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_040CEFC0	0_2_040CEFC0
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 8_2_041B5888	8_2_041B5888
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004096A0	10_2_004096A0
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0042200C	10_2_0042200C
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0041A217	10_2_0041A217
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00412216	10_2_00412216
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0042435D	10_2_0042435D
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004033C0	10_2_004033C0
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004125E8	10_2_004125E8
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0044663B	10_2_0044663B
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00413801	10_2_00413801
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0042096F	10_2_0042096F
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004129D0	10_2_004129D0
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004119E3	10_2_004119E3
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0041C9AE	10_2_0041C9AE
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0047EA6F	10_2_0047EA6F
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0040FA10	10_2_0040FA10
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00423C81	10_2_00423C81
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00411E78	10_2_00411E78
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00442E0C	10_2_00442E0C
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00420EC0	10_2_00420EC0
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0044CF17	10_2_0044CF17
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00444FD2	10_2_00444FD2
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_040B87E8	10_2_040B87E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040DC11	11_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00407C3F	11_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00418CCC	11_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00406CA0	11_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004028B0	11_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A4BE	11_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00418244	11_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00401650	11_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402F20	11_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004193C4	11_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00418788	11_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402F89	11_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402B90	11_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004073A0	11_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02E7D9A0	11_2_02E7D9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02E7CD88	11_2_02E7CD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02E70FD0	11_2_02E70FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02E7D0D0	11_2_02E7D0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02E71030	11_2_02E71030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0688ECB0	11_2_0688ECB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06889590	11_2_06889590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06886248	11_2_06886248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0688BBD8	11_2_0688BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0688F410	11_2_0688F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06880007	11_2_06880007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06880040	11_2_06880040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06CA5248	11_2_06CA5248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06CAA0E9	11_2_06CAA0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06CA61D0	11_2_06CA61D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06CA1540	11_2_06CA1540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06CA83D8	11_2_06CA83D8
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 13_2_04128FC0	13_2_04128FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0303CD88	14_2_0303CD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0303D9A0	14_2_0303D9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_03030FD0	14_2_03030FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_03031030	14_2_03031030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0303D0D0	14_2_0303D0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05F79580	14_2_05F79580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05F7ECA0	14_2_05F7ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05F7BBC8	14_2_05F7BBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05F76238	14_2_05F76238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05F70040	14_2_05F70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05F70007	14_2_05F70007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06CE0620	14_2_06CE0620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06CE1718	14_2_06CE1718

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: String function: 00445AE0 appears 65 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: String function: 00445AE0 appears 65 times

Source: wubZB5Ar1r.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 8.2.ramack.exe.3730000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.ramack.exe.3b20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.ramack.exe.3b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.1352723477.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.1321166995.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.1485213074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000D.00000002.1486295539.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/3@2/2

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0044AF6C GetLastError,FormatMessageW,

0_2_0044AF6C

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004333BE
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	0_2_00464EAE
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	10_2_004333BE
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	10_2_00464EAE

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D619

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

0_2_004755C4

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047839D

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043305F

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

File created: C:\Users\user\AppData\Local\fricandeaus

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

File created: C:\Users\user\AppData\Local\Temp\Charley

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs"

Source: wubZB5Ar1r.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wubZB5Ar1r.exe	Virustotal: Detection: 57%
Source: wubZB5Ar1r.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

File read: C:\Users\user\Desktop\wubZB5Ar1r.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wubZB5Ar1r.exe "C:\Users\user\Desktop\wubZB5Ar1r.exe"
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\Desktop\wubZB5Ar1r.exe"
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\wubZB5Ar1r.exe"
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\Desktop\wubZB5Ar1r.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\wubZB5Ar1r.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: wubZB5Ar1r.exe

Static file information: File size 1297603 > 1048576

Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2518538506.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2522582110.0000000004292000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ramack.exe, 00000008.00000003.1319535438.00000000046D0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 00000008.00000003.1319284252.0000000004530000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1346854928.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1348744364.0000000004440000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1479903750.0000000004640000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1481993914.00000000044A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ramack.exe, 00000008.00000003.1319535438.00000000046D0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 00000008.00000003.1319284252.0000000004530000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1346854928.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000A.00000003.1348744364.0000000004440000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1479903750.0000000004640000.00000004.00001000.00020000.00000000.sdmp, ramack.exe, 0000000D.00000003.1481993914.00000000044A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: ramack.exe.0.dr	Static PE information: real checksum: 0xa961f should be: 0x14a173
Source: wubZB5Ar1r.exe	Static PE information: real checksum: 0xa961f should be: 0x14a173

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00416CB5 push ecx; ret	0_2_00416CC8
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00416CB5 push ecx; ret	10_2_00416CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041C40C push cs; iretd	11_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00423149 push eax; ret	11_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041C50E push cs; iretd	11_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004231C8 push eax; ret	11_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E21D push ecx; ret	11_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041C6BE push ebx; ret	11_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06CAD0A3 push ds; retf	11_2_06CAD0B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06CE2880 push cs; iretd	14_2_06CE288A

Source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Hfv1VUh6VgiUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Hfv1VUh6VgiUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Hfv1VUh6VgiUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Hfv1VUh6VgiUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Hfv1VUh6VgiUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

File created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_0047A330
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00434418
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_0047A330
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00434418

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	API/Special instruction interceptor: Address: 41B54AC
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	API/Special instruction interceptor: Address: 40B840C
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	API/Special instruction interceptor: Address: 4128BE4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

11_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1696	Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-85008
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	API coverage: 3.5 %
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	API coverage: 3.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_00452492
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00442886
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_004788BD
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_004339B6
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	10_2_0045CAFA
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00431A86
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	10_2_0044BD27
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0045DE8F FindFirstFileW,FindClose,	10_2_0045DE8F
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_0044BF8B

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99243	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99101	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98148	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98230	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98082	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: ramack.exe, 0000000A.00000002.1351519408.0000000000958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 0000000C.00000002.1452931666.000001A848B25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ramack.exe, 0000000D.00000002.1484776688.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ta
Source: RegSvcs.exe, 0000000B.00000002.1492906023.00000000058C4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0045A370 BlockInput,

0_2_0045A370

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D590

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

11_2_004019F0

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_040CEE50 mov eax, dword ptr fs:[00000030h]	0_2_040CEE50
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_040CEEB0 mov eax, dword ptr fs:[00000030h]	0_2_040CEEB0
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_040CD800 mov eax, dword ptr fs:[00000030h]	0_2_040CD800
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 8_2_041B5718 mov eax, dword ptr fs:[00000030h]	8_2_041B5718
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 8_2_041B40C8 mov eax, dword ptr fs:[00000030h]	8_2_041B40C8
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 8_2_041B5778 mov eax, dword ptr fs:[00000030h]	8_2_041B5778
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_040B8678 mov eax, dword ptr fs:[00000030h]	10_2_040B8678
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_040B86D8 mov eax, dword ptr fs:[00000030h]	10_2_040B86D8
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_040B7028 mov eax, dword ptr fs:[00000030h]	10_2_040B7028
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 13_2_04127800 mov eax, dword ptr fs:[00000030h]	13_2_04127800
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 13_2_04128EB0 mov eax, dword ptr fs:[00000030h]	13_2_04128EB0
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 13_2_04128E50 mov eax, dword ptr fs:[00000030h]	13_2_04128E50

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004238DA

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0041F250 SetUnhandledExceptionFilter,	10_2_0041F250
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0041A208
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00417DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004123F1 SetUnhandledExceptionFilter,	11_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FC9008			Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1188008			Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_00436CD7 LogonUserW,

0_2_00436CD7

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

0_2_0040D590

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00434418

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_0043333C

Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\wubZB5Ar1r.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\fricandeaus\ramack.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\fricandeaus\ramack.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00446124

Source: wubZB5Ar1r.exe, ramack.exe	Binary or memory string: Shell_TrayWnd
Source: wubZB5Ar1r.exe, ramack.exe.0.dr	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

11_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

0_2_004720DB

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_00472C3F GetUserNameW,

0_2_00472C3F

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0041E364

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2519362195.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1489092598.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1948, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: ramack.exe	Binary or memory string: WIN_XP
Source: ramack.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: ramack.exe	Binary or memory string: WIN_XPe
Source: ramack.exe	Binary or memory string: WIN_VISTA
Source: ramack.exe	Binary or memory string: WIN_7
Source: ramack.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1948, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2519362195.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1489092598.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1948, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2efef7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5990000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4386458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.43d2f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2effe66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.4385570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_004652BE
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00476619
Source: C:\Users\user\Desktop\wubZB5Ar1r.exe	Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0046CEF3
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	10_2_004652BE
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_00476619
Source: C:\Users\user\AppData\Local\fricandeaus\ramack.exe	Code function: 10_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	10_2_0046CEF3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	2 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wubZB5Ar1r.exe	58%	Virustotal		Browse
wubZB5Ar1r.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject
wubZB5Ar1r.exe	100%	Avira	HEUR/AGEN.1321671

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\fricandeaus\ramack.exe	100%	Avira	HEUR/AGEN.1321671
C:\Users\user\AppData\Local\fricandeaus\ramack.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://crl.microsoftM	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.135	true	false		high
api.ipify.org	104.26.12.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	RegSvcs.exe, 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	RegSvcs.exe, 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	RegSvcs.exe, 0000000B.00000002.1489092598.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1486502418.000000000147A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.privateemail.com	RegSvcs.exe, 0000000B.00000002.1489092598.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.00000000032BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000B.00000002.1489092598.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2519362195.0000000003250000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftM	RegSvcs.exe, 0000000E.00000002.2523695910.0000000005944000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
198.54.122.135	mail.privateemail.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631787
Start date and time:	2025-03-07 15:53:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wubZB5Ar1r.exe renamed because original name is a hash value
Original Sample Name:	f2e35b7328c84a7c6719d237b43dce5d5f0268ea1bb4cb6f661393c5ff1f9f5d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/3@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 53 Number of non-executed functions: 323
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:54:19	API Interceptor	43x Sleep call for process: RegSvcs.exe modified
15:54:17	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	NightFixed 1.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	VRChat_ERP_Setup 1.0.0.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	wEY98gM1Jj.ps1	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	DeepLauncher.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	[Huawei] Contract for YouTube partners.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	NexoPack Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	NexoPack Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
198.54.122.135	#U94f6#U884c#U8f6c#U8d26#U51ed#U8bc1.vbs	Get hash	malicious	Unknown	Browse
	Updated Price List for 2025 Business Year.exe	Get hash	malicious	Snake Keylogger	Browse
	niceworkingskillgivenbetterwayofbetterthings.hta	Get hash	malicious	Cobalt Strike, MassLogger RAT	Browse
	Annual Leave sheet 2025.vbs	Get hash	malicious	MassLogger RAT	Browse
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	cali.exe	Get hash	malicious	AgentTesla	Browse
	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ItPTgiBC07.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.privateemail.com	#U94f6#U884c#U8f6c#U8d26#U51ed#U8bc1.vbs	Get hash	malicious	Unknown	Browse	198.54.122.135
	Updated Price List for 2025 Business Year.exe	Get hash	malicious	Snake Keylogger	Browse	198.54.122.135
	niceworkingskillgivenbetterwayofbetterthings.hta	Get hash	malicious	Cobalt Strike, MassLogger RAT	Browse	198.54.122.135
	Annual Leave sheet 2025.vbs	Get hash	malicious	MassLogger RAT	Browse	198.54.122.135
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	cali.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	ItPTgiBC07.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
api.ipify.org	oCPGyn28rc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	reversed-payload.bin.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.CrypterX-gen.18789.13214.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Ningbo Overdue Invoice - JAN 23,2025.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://ipfs.io/ipfs/bafkreieqld65z4s3qt2ewjyg6bbbyhkdl2tlzzvflxmef66o3zugau2mtu/#bgruwez@youtube.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://ipfs.io/ipfs/bafkreieqld65z4s3qt2ewjyg6bbbyhkdl2tlzzvflxmef66o3zugau2mtu/#bgruwez@besix.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	bkHLzNaNMS.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	bkHLzNaNMS.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	datasheet.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Korea Customs Document.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	mKRflLn5sx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	HT4YGXBRtx.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	PayeeRemittanceNotice_ GQUMJOTASN.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	UOEAjWmusE.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	4LJHFzA8jr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	nGI2U2r41E.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	7l3CafRVv7.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	C6FGS0I3yn.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	oCPGyn28rc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
NAMECHEAP-NETUS	1x165rHRi9.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
	http://mnp2.com	Get hash	malicious	Unknown	Browse	192.64.119.239
	SEA WAYBILL, BL, INVOICE & PACKING LIST.exe	Get hash	malicious	FormBook	Browse	162.255.118.67
	rPO-20429124.exe	Get hash	malicious	FormBook	Browse	63.250.38.223
	z15NEWORDERSUPPLY0490402.exe	Get hash	malicious	FormBook	Browse	63.250.38.122
	YzvM4Dzoe3.exe	Get hash	malicious	FormBook	Browse	162.255.118.67
	Revised Invoice Vt-1307701765400112977.exe	Get hash	malicious	FormBook	Browse	162.255.118.67
	PO#10800.exe	Get hash	malicious	FormBook	Browse	162.0.239.7
	rRFQ24A.exe	Get hash	malicious	FormBook	Browse	63.250.38.223
	PURCHASE-ORDER-SINCOAUTOMATION-PO322357781-Ref 6421SINCO-AUTOMATION4533.exe	Get hash	malicious	FormBook	Browse	63.250.38.122

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	mKRflLn5sx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	UOEAjWmusE.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.26.12.205
	zXtG0a5Gt0.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	nGI2U2r41E.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	OfQ4QRmP65.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	OfQ4QRmP65.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	gIPDZfPhpW.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	gIPDZfPhpW.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\wubZB5Ar1r.exe
File Type:	data
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	7.8979076857842205
Encrypted:	false
SSDEEP:	6144:r8XoO7Fo90t5ihdSqgvPrjH/aL2xM+5qVsUMZneVViBn:rvV9W5ikuL2VFUM0iBn
MD5:	03331CDCF85F31C57574D6EA0E649811
SHA1:	25B6E7E89F98923FD6B833FE8602E69B5CC727FD
SHA-256:	EE363C4CF2B794CA960F1C75620A07E3D57DF2F3088372A5668158837A6C54AD
SHA-512:	82496DBD4A32465012152E4180A81F6B773318BAA1FBB0E6B528ED7F10BC7A40E283F9881277009026BE2C5CD8181522F8D4AD4B713542A0C18D6B4A85830D39
Malicious:	false
Reputation:	low
Preview:	...7ZS9S7YH9..4I.GSDRKB3.7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS.S3YF&.:4.F.r.S...._"7d:E64K2^y+X<Z[=o%6d >,.+Yk....4<]6.TE3v44IOGSD:[..nF.:h;.'.H.MkkF,.E.1L..,`3.<.:.:.F.-.p]'TH.J.j&9.5.5p.9If5.4e00Q.B.69R44IOGSDRKB3B7K..#QYS9Sc.H9.50I;.S.RKB3B7KD.J.XX8Z3Y.8R4NKOGSDRd.3B7[DDJ.XS9SsYH)R44KOGVDRKB3B7NDDJ7YS9SS]H9V44.tESFRK.3B'KDTJ7YS)S3IH9R44I_GSDRKB3B7KD._5Y.9S3Y(;R..HOGSDRKB3B7KDDJ7YS9S3YH9R4..NGODRKB3B7KDDJ7YS9S3YH9R44IOGS._IBsB7KDDJ7YS9S3.I9.54IOGSDRKB3B7KDDJ7YS9S3YH9R.@,73SDRS.2B7[DDJ.XS9W3YH9R44IOGSDRKb3BWe6 +C8S9.^YH9.54I!GSD.JB3B7KDDJ7YS9SsYHy\|PU=.GSD.{B3B.IDD\7YS3Q3YH9R44IOGSDR.B3..976)7YS.2YHYP44.NGSdPKB3B7KDDJ7YS9.3Y.9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KDDJ7YS9S3YH9R44IOGSDRKB3B7KD

C:\Users\user\AppData\Local\fricandeaus\ramack.exe

Download File

Process:	C:\Users\user\Desktop\wubZB5Ar1r.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297603
Entropy (8bit):	7.504656526433487
Encrypted:	false
SSDEEP:	24576:uRmJkcoQricOIQxiZY1iaCwz6OTaadvm5O/xWVAJWh:7JZoQrbTFZY1iaCw2Ya3SgOy
MD5:	34C1E2DEBC02EAE2F3E460241F2B2805
SHA1:	6F7DAA7605B7F38AA6BBDAB61C7B36C4896AA83B
SHA-256:	F2E35B7328C84A7C6719D237B43DCE5D5F0268EA1BB4CB6F661393C5FF1F9F5D
SHA-512:	4AAD67A364C7E8128021E8B168D0EE01809DE2D3B2480E4B47CCBEB26555ED7BBD72AADF90BAF9AC640D63D329F740B451606F75FD5C3F5288CE8B29262B2798
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@..........................P................@.......@.........................T.......(............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...(............T..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Download File

Process:	C:\Users\user\AppData\Local\fricandeaus\ramack.exe
File Type:	data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.428479355667015
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX17eAlDiXeXlm6nriIM8lfQVn:DsO+vNlDQ1SAhMeXlm4mA2n
MD5:	9C5705202F30E2F2D66B9EBE1260AE92
SHA1:	907E48D4420385E9EE8525B17B5C94B0951371B7
SHA-256:	1006FD4EFC11316DC20ECB501003864DFA3ED3D8B5CB98778B4C7569EEA29FDD
SHA-512:	AF4D4573C66AFFA06733E0787A5E23057A838148D2DD4DB518FF1F57A75EAE2060933BAC7D9E2008ECA08518EE024285318640C1DD682A807AE256BF6F30DB07
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.f.r.i.c.a.n.d.e.a.u.s.\.r.a.m.a.c.k...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.504656526433487
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wubZB5Ar1r.exe
File size:	1'297'603 bytes
MD5:	34c1e2debc02eae2f3e460241f2b2805
SHA1:	6f7daa7605b7f38aa6bbdab61c7b36c4896aa83b
SHA256:	f2e35b7328c84a7c6719d237b43dce5d5f0268ea1bb4cb6f661393c5ff1f9f5d
SHA512:	4aad67a364c7e8128021e8b168d0ee01809de2d3b2480e4b47ccbeb26555ed7bbd72aadf90baf9ac640d63d329f740b451606f75fd5c3f5288ce8b29262b2798
SSDEEP:	24576:uRmJkcoQricOIQxiZY1iaCwz6OTaadvm5O/xWVAJWh:7JZoQrbTFZY1iaCw2Ya3SgOy
TLSH:	1255F121B9C69036C1F323B19E7EF7AA963D79360336D19727C42E325E605416B2A733
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x4165c1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3bf8a7746a8d1ee8f6e5960c3f69378

Entrypoint Preview

Instruction
call 00007FD4207090DBh
jmp 00007FD4206FFF4Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FD4207000CAh
cmp edi, eax
jc 00007FD420700266h
cmp ecx, 00000080h
jc 00007FD4207000DEh
cmp dword ptr [004A9724h], 00000000h
je 00007FD4207000D5h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FD4207000C7h
jmp 00007FD4207004A2h
test edi, 00000003h
jne 00007FD4207000D6h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FD4207000EBh
rep movsd
jmp dword ptr [00416740h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FD4207000CEh
and eax, 03h
add ecx, eax
jmp dword ptr [00416654h+eax*4]
jmp dword ptr [00416750h+ecx*4]
nop
jmp dword ptr [004166D4h+ecx*4]
nop
inc cx
add byte ptr [eax-4BFFBE9Ah], dl
inc cx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007FD422B788C7h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FD42070008Eh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d41c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x844	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8061c	0x80800	61ffce4768976fa0dd2a8f6a97b1417a	False	0.5583182605787937	data	6.684690148171278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfc0	0xe000	0354bc5f2376b5e9a4a3ba38b682dff1	False	0.36085728236607145	data	4.799741132252136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	8033f5a38941b4685bc2299e78f31221	False	0.15324519230769232	data	2.1500715391677487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9328	0x9400	495451d7eb8326bd9fa2714869ea6de8	False	0.49002322635135137	data	5.541804843154628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xb2d08	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3308	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb3968	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3cf0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3e48	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3ed0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3ee8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3f00	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3f18	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb40b8	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

Version Infos

Description	Data
FileDescription
FileVersion	3, 3, 8, 1
CompiledScript	AutoIt v3 Script: 3, 3, 8, 1
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 15:54:17.907778025 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:17.907830954 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:17.907960892 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:17.922965050 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:17.922985077 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:19.695020914 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:19.695120096 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:19.699606895 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:19.699619055 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:19.699867010 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:19.752301931 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:19.760174036 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:19.804326057 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:20.167516947 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:20.221064091 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:20.221088886 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:20.227241039 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:20.227467060 CET	443	49687	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:20.227600098 CET	49687	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:20.766630888 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:20.771775007 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:20.771872044 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:21.706218004 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:21.724371910 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:21.729492903 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:21.888714075 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:21.893033981 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:21.898833036 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.056427002 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.081291914 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.086376905 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247339010 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247359037 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247383118 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247402906 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247419119 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247436047 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.247483015 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.247551918 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.247551918 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.608323097 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.613399029 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.774033070 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.781523943 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.786664009 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.945784092 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:22.947494030 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:22.952629089 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.113837957 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.122169018 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:23.127262115 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.289340019 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.289695024 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:23.295176983 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.456149101 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.456573009 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:23.461700916 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.624777079 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.639945984 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:23.645572901 CET	587	49688	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:23.645750046 CET	49688	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:31.292134047 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:31.292191982 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:31.292587996 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:31.295644045 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:31.295697927 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:32.876799107 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:32.876890898 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:32.879551888 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:32.879559040 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:32.879792929 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:32.924216032 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:33.420473099 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:33.468322039 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:33.840739965 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:33.855216026 CET	443	49689	104.26.12.205	192.168.2.6
Mar 7, 2025 15:54:33.855361938 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:33.885169029 CET	49689	443	192.168.2.6	104.26.12.205
Mar 7, 2025 15:54:34.423985958 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:34.429542065 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:34.429707050 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.225286961 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.226067066 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.231091022 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.392853975 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.393091917 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.398072958 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.559665918 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.560314894 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.565371037 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728461027 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728482008 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728492975 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728564978 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.728626966 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728638887 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728651047 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.728672981 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.728693962 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.730618000 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.735640049 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.897419930 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:35.902256012 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:35.907358885 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.069612980 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.070048094 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:36.075175047 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.243545055 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.265135050 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:36.270266056 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.433954000 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.438961983 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:36.444206953 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.607825041 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.617455959 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:36.622574091 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.795774937 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.846095085 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:36.893773079 CET	49690	587	192.168.2.6	198.54.122.135
Mar 7, 2025 15:54:36.899177074 CET	587	49690	198.54.122.135	192.168.2.6
Mar 7, 2025 15:54:36.899322987 CET	49690	587	192.168.2.6	198.54.122.135

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 15:54:17.893616915 CET	63773	53	192.168.2.6	1.1.1.1
Mar 7, 2025 15:54:17.900638103 CET	53	63773	1.1.1.1	192.168.2.6
Mar 7, 2025 15:54:20.756736994 CET	50209	53	192.168.2.6	1.1.1.1
Mar 7, 2025 15:54:20.765841007 CET	53	50209	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 15:54:17.893616915 CET	192.168.2.6	1.1.1.1	0x9e86	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:54:20.756736994 CET	192.168.2.6	1.1.1.1	0x2a3f	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 15:54:17.900638103 CET	1.1.1.1	192.168.2.6	0x9e86	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:54:17.900638103 CET	1.1.1.1	192.168.2.6	0x9e86	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:54:17.900638103 CET	1.1.1.1	192.168.2.6	0x9e86	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:54:20.765841007 CET	1.1.1.1	192.168.2.6	0x2a3f	No error (0)	mail.privateemail.com	198.54.122.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49687	104.26.12.205	443	6880	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:54:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-03-07 14:54:20 UTC	426	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:54:19 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 91caed6ebfde3b94-BOS server-timing: cfL4;desc="?proto=TCP&rtt=21106&min_rtt=18293&rtt_var=10022&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=95571&cwnd=245&unsent_bytes=0&cid=fea8c6b9a7d34e24&ts=619&x=0"
2025-03-07 14:54:20 UTC	13	IN	Data Raw: 39 38 2e 32 32 39 2e 38 35 2e 31 31 36 Data Ascii: 98.229.85.116

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49689	104.26.12.205	443	1948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:54:33 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-03-07 14:54:33 UTC	426	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:54:33 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 91caedc42e054cc9-BOS server-timing: cfL4;desc="?proto=TCP&rtt=17622&min_rtt=16115&rtt_var=7120&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=179708&cwnd=232&unsent_bytes=0&cid=bedc28622c0fc5cf&ts=954&x=0"
2025-03-07 14:54:33 UTC	13	IN	Data Raw: 39 38 2e 32 32 39 2e 38 35 2e 31 31 36 Data Ascii: 98.229.85.116

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 7, 2025 15:54:21.706218004 CET	587	49688	198.54.122.135	192.168.2.6	220 PrivateEmail.com prod Mail Node
Mar 7, 2025 15:54:21.724371910 CET	49688	587	192.168.2.6	198.54.122.135	EHLO 760639
Mar 7, 2025 15:54:21.888714075 CET	587	49688	198.54.122.135	192.168.2.6	250-mta-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Mar 7, 2025 15:54:21.893033981 CET	49688	587	192.168.2.6	198.54.122.135	STARTTLS
Mar 7, 2025 15:54:22.056427002 CET	587	49688	198.54.122.135	192.168.2.6	220 Ready to start TLS
Mar 7, 2025 15:54:35.225286961 CET	587	49690	198.54.122.135	192.168.2.6	220 PrivateEmail.com prod Mail Node
Mar 7, 2025 15:54:35.226067066 CET	49690	587	192.168.2.6	198.54.122.135	EHLO 760639
Mar 7, 2025 15:54:35.392853975 CET	587	49690	198.54.122.135	192.168.2.6	250-mta-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Mar 7, 2025 15:54:35.393091917 CET	49690	587	192.168.2.6	198.54.122.135	STARTTLS
Mar 7, 2025 15:54:35.559665918 CET	587	49690	198.54.122.135	192.168.2.6	220 Ready to start TLS

Target ID:	0
Start time:	09:54:08
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\wubZB5Ar1r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wubZB5Ar1r.exe"
Imagebase:	0x400000
File size:	1'297'603 bytes
MD5 hash:	34C1E2DEBC02EAE2F3E460241F2B2805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:54:09
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\fricandeaus\ramack.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wubZB5Ar1r.exe"
Imagebase:	0x400000
File size:	1'297'603 bytes
MD5 hash:	34C1E2DEBC02EAE2F3E460241F2B2805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.1321166995.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:54:13
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wubZB5Ar1r.exe"
Imagebase:	0x3a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:54:13
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\fricandeaus\ramack.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Imagebase:	0x400000
File size:	1'297'603 bytes
MD5 hash:	34C1E2DEBC02EAE2F3E460241F2B2805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.1352723477.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:54:15
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Imagebase:	0xda0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1488412383.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1491469820.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.1485213074.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000B.00000002.1491818259.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1489092598.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000B.00000002.1493682070.0000000005990000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1489092598.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:54:26
Start date:	07/03/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs"
Imagebase:	0x7ff65d290000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:54:26
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\fricandeaus\ramack.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Imagebase:	0x400000
File size:	1'297'603 bytes
MD5 hash:	34C1E2DEBC02EAE2F3E460241F2B2805
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000002.1486295539.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:54:29
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\fricandeaus\ramack.exe"
Imagebase:	0xe00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2519362195.0000000003294000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2519362195.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wubZB5Ar1r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Charley

C:\Users\user\AppData\Local\fricandeaus\ramack.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ramack.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
wubZB5Ar1r.exe