MalScore
100/100
MalFamily
Click3

RavSasser.exe

Is DLL Packer Anti Debug Anti VM Signed XOR
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
File size: 85.01 KB (87052 bytes)
Compile time: 2004-05-18 11:51:13
MD5: 59bbe06a86192dd19204421226ef2fa5
SHA1: b53081065885b5a4d65b0f786f9f0eccc7f0854a
SHA256: 709754cd917f5630403d38ecca1f85c9a15ef38529b36b5f0e71131de394a2c9
Import hash: b9ab38f37ad54f1eb5e27e9b6daa9fac
Sections 3 UPX0 UPX1 .rsrc
Directories 2 import resource
First submission: 2022-03-02 11:42:08
Last submission: 2022-03-02 11:42:08
Filename detected: - RavSasser.exe (1)
URL file hosting
hXXp://download.rising.com.cn/zsgj/RavSasser.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
No report available
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
UPX0 0x1000 0x1f000 0 d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709
UPX1 0x20000 0xf000 59904 fa0b718c94a3316c5015262c113849cc 44839e34722906acd240f4ad665cb9a3a4c63f42
.rsrc 0x2f000 0x7000 26112 33fb5a234e339a758d501ab944b3977d 41468c1929704d436c6d8011342607d10a281646
Meta Info
No Meta found in this file
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
UPX v0.80 - v0.84
UPX 2.90 (LZMA)
UPX -> www.upx.sourceforge.net
File found
FIle type: Library
ADVAPI32.dll
SHELL32.dll
KERNEL32.dll
USER32.dll
GDI32.dll
comctl32.dll
IP Found
No IP detected
URL(s)
No URL found
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2022-03-02 11:16:14 2022-03-02 11:19:13 179

8 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2022-03-02 11:16:14 2022-03-02 11:19:13 179

6 Summary items with data

Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Users\Seven01\AppData\Local\Temp\RavSasser.exe
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui

Read Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Users\Seven01\AppData\Local\Temp\RavSasser.exe
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\RavSasser.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\MS-4011 Memory Patch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

Read Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\MS-4011 Memory Patch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Local\MSCTF.Asm.MutexDefault1

Resolved APIs

kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
kernel32.dll.Sleep
kernel32.dll.GetLastError
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.SetFilePointer
kernel32.dll.WriteFile
kernel32.dll.ReadFile
kernel32.dll.SetEndOfFile
kernel32.dll.SetFileAttributesA
kernel32.dll.GetFileSize
kernel32.dll.FindClose
kernel32.dll.FindNextFileA
kernel32.dll.FindFirstFileA
kernel32.dll.GetTempPathA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.DeleteFileA
kernel32.dll.VirtualAllocEx
kernel32.dll.SetThreadPriority
kernel32.dll.SetPriorityClass
kernel32.dll.GetCurrentThread
kernel32.dll.GetCurrentProcess
kernel32.dll.CreateFileW
kernel32.dll.FindFirstFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetShortPathNameA
kernel32.dll.SetFileAttributesW
kernel32.dll.GetVersionExA
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetDiskFreeSpaceA
kernel32.dll.lstrcatA
kernel32.dll.GetCommandLineA
kernel32.dll.ExitProcess
kernel32.dll.GetSystemDefaultLangID
kernel32.dll.TerminateThread
kernel32.dll.VirtualProtectEx
kernel32.dll.WriteProcessMemory
kernel32.dll.TerminateProcess
kernel32.dll.GetModuleFileNameA
kernel32.dll.SetCurrentDirectoryA
kernel32.dll.CreateFileA
kernel32.dll.FreeLibrary
kernel32.dll.GetVersion
kernel32.dll.FlushFileBuffers
kernel32.dll.CompareStringA
kernel32.dll.GetSystemDirectoryA
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
kernel32.dll.ReadProcessMemory
kernel32.dll.GetLogicalDriveStringsA
kernel32.dll.GetDriveTypeA
kernel32.dll.CreateThread
kernel32.dll.GetModuleHandleA
kernel32.dll.lstrlenA
kernel32.dll.WaitForSingleObject
kernel32.dll.DeleteFileW
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.GetFullPathNameA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.GetTimeZoneInformation
kernel32.dll.IsBadCodePtr
kernel32.dll.IsBadReadPtr
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.IsBadWritePtr
kernel32.dll.HeapReAlloc
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.HeapCreate
kernel32.dll.HeapDestroy
kernel32.dll.LCMapStringW
kernel32.dll.LCMapStringA
kernel32.dll.WideCharToMultiByte
kernel32.dll.SetStdHandle
kernel32.dll.GetStdHandle
kernel32.dll.SetHandleCount
kernel32.dll.GetOEMCP
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetStartupInfoA
kernel32.dll.GetFileType
kernel32.dll.CompareStringW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.RtlUnwind
advapi32.dll.RegCloseKey
advapi32.dll.CloseServiceHandle
advapi32.dll.QueryServiceConfigA
advapi32.dll.OpenServiceA
advapi32.dll.OpenSCManagerA
advapi32.dll.DeleteService
advapi32.dll.ControlService
advapi32.dll.QueryServiceStatus
advapi32.dll.EnumServicesStatusA
advapi32.dll.RegQueryValueExA
advapi32.dll.RegOpenKeyA
advapi32.dll.RegDeleteValueA
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegSetValueExA
advapi32.dll.RegEnumValueA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.OpenProcessToken
advapi32.dll.RegCreateKeyA
comctl32.dll.#17
gdi32.dll.SetBkMode
gdi32.dll.SelectObject
gdi32.dll.DeleteObject
gdi32.dll.GetStockObject
gdi32.dll.GetObjectA
gdi32.dll.CreateFontIndirectA
gdi32.dll.SetTextColor
shell32.dll.ShellExecuteA
user32.dll.SendMessageA
user32.dll.SetWindowTextA
user32.dll.GetParent
user32.dll.MessageBoxA
user32.dll.DestroyWindow
user32.dll.DialogBoxParamA
user32.dll.SetWindowPos
user32.dll.CreateWindowExA
user32.dll.EndDialog
user32.dll.EnableWindow
user32.dll.EnableMenuItem
user32.dll.GetSystemMenu
user32.dll.GetWindowLongA
user32.dll.SetDlgItemTextA
user32.dll.SetWindowLongA
user32.dll.LoadIconA
user32.dll.GetSysColorBrush
user32.dll.GetDlgCtrlID
user32.dll.WindowFromPoint
user32.dll.CallWindowProcA
user32.dll.InvalidateRect
user32.dll.SetTimer
user32.dll.PtInRect
user32.dll.GetClientRect
user32.dll.ScreenToClient
user32.dll.GetCursorPos
user32.dll.KillTimer
user32.dll.LoadCursorA
user32.dll.SetCursor
user32.dll.SendDlgItemMessageA
user32.dll.SetFocus
user32.dll.GetDlgItem
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
user32.dll.NotifyWinEvent
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegEnumKeyExW
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
psapi.dll.EnumProcessModules
psapi.dll.EnumProcesses
psapi.dll.GetModuleFileNameExA
psapi.dll.GetModuleInformation
ntdll.dll.NtQuerySystemInformation
gdi32.dll.GetTextExtentExPointWPri
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display

#infosec #automation

TheSystem Itself @ 2022-03-02 11:42:10

Detected family: #Click3

TheSystem Itself @ 2022-03-02 11:48:02