MalScore

100/100

MalFamily

Ymacco

ravmimail.exe

Is DLL Packer Anti Debug Anti VM Signed XOR Related 2

File details Download PDF Report
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
File size:	83.51 KB (85516 bytes)
Compile time:	2004-02-03 07:47:24
MD5:	770a0e86d4aaf01b05cc5ad5f65be323
SHA1:	e2502cf0bdf5274f6a38e72503490fdf4603ec8b
SHA256:	452d11af13fc17cfeac79c65d1fa0745b7ccde4f5470080c7fc5aae3b91d3471
Import hash:	15492b7407f6f66c8070b94da8f49dc5
Sections 3	UPX0 UPX1 .rsrc
Directories 2	import resource
First submission:	2022-03-02 11:33:09
Last submission:	2022-03-02 11:33:09
Filename detected:	- ravmimail.exe (1)

URL file hosting
hXXp://download.rising.com.cn/zsgj/ravmimail.exe

Antivirus Report
Report Date	Detection Ratio	Permalink	Update
No report available

PE Sections 2 suspicious
Name	VAddress	VSize	Size	MD5	SHA1
UPX0	0x1000	0x1f000	0	d41d8cd98f00b204e9800998ecf8427e	da39a3ee5e6b4b0d3255bfef95601890afd80709
UPX1	0x20000	0xf000	58368	e5d29a9520d5ec8c684b3f70e3736cde	41d94dc421c268b893c13ef50b2e198877e273cf
.rsrc	0x2f000	0x7000	26112	59692f2fc62ca0bf9ce520b50ed63a80	698aa6441761f1530d56d587bb14a4ddddb81a5e

Meta Info
No Meta found in this file

XOR
No XOR informations found in this file.

Signature
This file isn't digitally signed

Packer(s)
UPX v0.80 - v0.84
UPX 2.90 (LZMA)
UPX -> www.upx.sourceforge.net

File found
FIle type: Library
ADVAPI32.dll
SHELL32.dll
KERNEL32.dll
USER32.dll
comctl32.dll
GDI32.dll

IP Found
No IP detected

URL(s)
No URL found

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven06_64	Seven06_64	VirtualBox	2022-03-02 11:23:30	2022-03-02 11:26:31	181

8 Behaviors detected by system signatures

Dynamic (imported) function loading detected Severity: Medium Confidence: Very High

DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFileAttributesA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/SetThreadPriority
DynamicLoader: kernel32.dll/SetPriorityClass
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetDiskFreeSpaceA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetSystemDefaultLangID
DynamicLoader: kernel32.dll/GetSystemDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLogicalDriveStringsA
DynamicLoader: kernel32.dll/SetCurrentDirectoryA
DynamicLoader: kernel32.dll/GetDriveTypeA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/CompareStringA
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/IsBadCodePtr
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/IsBadWritePtr
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStrings
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/FreeEnvironmentStringsA
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/GetFullPathNameA
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: ADVAPI32.dll/RegEnumValueA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: COMCTL32.dll/
DynamicLoader: GDI32.dll/SetTextColor
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/CreateFontIndirectA
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetObjectA
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/SetBkMode
DynamicLoader: SHELL32.dll/ShellExecuteA
DynamicLoader: USER32.dll/SetWindowTextA
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/GetParent
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DialogBoxParamA
DynamicLoader: USER32.dll/SetFocus
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/SendDlgItemMessageA
DynamicLoader: USER32.dll/GetSystemMenu
DynamicLoader: USER32.dll/GetDlgItem
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/SetWindowLongA
DynamicLoader: USER32.dll/GetWindowLongA
DynamicLoader: USER32.dll/SetDlgItemTextA
DynamicLoader: USER32.dll/LoadCursorA
DynamicLoader: USER32.dll/LoadIconA
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/SetCursor
DynamicLoader: USER32.dll/KillTimer
DynamicLoader: USER32.dll/PtInRect
DynamicLoader: USER32.dll/ScreenToClient
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/CallWindowProcA
DynamicLoader: USER32.dll/SetTimer
DynamicLoader: USER32.dll/InvalidateRect
DynamicLoader: USER32.dll/GetSysColorBrush
DynamicLoader: USER32.dll/WindowFromPoint
DynamicLoader: USER32.dll/GetDlgCtrlID
DynamicLoader: USER32.dll/EndDialog
DynamicLoader: USER32.dll/EnableWindow
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: uxtheme.dll/ThemeInitApiHook
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: USER32.dll/NotifyWinEvent
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri

Reads data out of its own binary image Severity: Medium Confidence: Low

self_read: process: ravmimail.exe, pid: 2200, offset: 0x00000000, length: 0x00014e0c

Network activity detected but not expressed in API logs Severity: Medium Confidence: Very High

Unconventionial binary language: Chinese (Simplified) Severity: Medium Confidence: Very High

Unconventionial language used in binary resources: Chinese (Simplified) Severity: Medium Confidence: Very High

The binary likely contains encrypted or compressed data. Severity: Medium Confidence: Very High

section: name: UPX1, entropy: 7.92, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000e400, virtual_size: 0x0000f000

The executable is compressed using UPX Severity: Medium Confidence: Very High

section: name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x0001f000

SetUnhandledExceptionFilter detected (possible anti-debug) Severity: Low Confidence: Very High

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven06_64	Seven06_64	VirtualBox	2022-03-02 11:23:30	2022-03-02 11:26:31	181

6 Summary items with data

Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Users\Seven01\AppData\Local\Temp\ravmimail.exe
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui

Read Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Users\Seven01\AppData\Local\Temp\ravmimail.exe
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ravmimail.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

Read Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Local\MSCTF.Asm.MutexDefault1

Resolved APIs

kernel32.dll.TerminateThread
kernel32.dll.WaitForSingleObject
kernel32.dll.WriteProcessMemory
kernel32.dll.TerminateProcess
kernel32.dll.CreateThread
kernel32.dll.GetModuleHandleA
kernel32.dll.GetLastError
kernel32.dll.GetModuleFileNameA
kernel32.dll.SetEndOfFile
kernel32.dll.SetFileAttributesA
kernel32.dll.GetFileSize
kernel32.dll.FindClose
kernel32.dll.FindNextFileA
kernel32.dll.FindFirstFileA
kernel32.dll.SetFilePointer
kernel32.dll.ReadFile
kernel32.dll.WriteFile
kernel32.dll.FreeLibrary
kernel32.dll.SetThreadPriority
kernel32.dll.SetPriorityClass
kernel32.dll.GetCurrentThread
kernel32.dll.GetCurrentProcess
kernel32.dll.CreateFileW
kernel32.dll.FindFirstFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.DeleteFileW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetVersionExA
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetDiskFreeSpaceA
kernel32.dll.ExitProcess
kernel32.dll.GetSystemDefaultLangID
kernel32.dll.GetSystemDirectoryA
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
kernel32.dll.ReadProcessMemory
kernel32.dll.GetLogicalDriveStringsA
kernel32.dll.SetCurrentDirectoryA
kernel32.dll.GetDriveTypeA
kernel32.dll.CreateFileA
kernel32.dll.GetVersion
kernel32.dll.Sleep
kernel32.dll.DeleteFileA
kernel32.dll.CompareStringA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.FlushFileBuffers
kernel32.dll.IsBadCodePtr
kernel32.dll.IsBadReadPtr
kernel32.dll.GetTimeZoneInformation
kernel32.dll.IsBadWritePtr
kernel32.dll.HeapReAlloc
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.VirtualFree
kernel32.dll.HeapCreate
kernel32.dll.VirtualAlloc
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetEnvironmentStrings
kernel32.dll.HeapDestroy
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.LCMapStringA
kernel32.dll.WideCharToMultiByte
kernel32.dll.LCMapStringW
kernel32.dll.GetStdHandle
kernel32.dll.SetHandleCount
kernel32.dll.SetStdHandle
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetOEMCP
kernel32.dll.GetStartupInfoA
kernel32.dll.GetFileType
kernel32.dll.GetCommandLineA
kernel32.dll.RtlUnwind
kernel32.dll.GetFullPathNameA
kernel32.dll.FileTimeToSystemTime
kernel32.dll.CompareStringW
kernel32.dll.FileTimeToLocalFileTime
advapi32.dll.RegEnumValueA
advapi32.dll.RegCloseKey
advapi32.dll.RegDeleteValueA
advapi32.dll.RegOpenKeyExA
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.RegOpenKeyA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.OpenProcessToken
comctl32.dll.#17
gdi32.dll.SetTextColor
gdi32.dll.DeleteObject
gdi32.dll.CreateFontIndirectA
gdi32.dll.SelectObject
gdi32.dll.GetObjectA
gdi32.dll.GetStockObject
gdi32.dll.SetBkMode
shell32.dll.ShellExecuteA
user32.dll.SetWindowTextA
user32.dll.SendMessageA
user32.dll.GetParent
user32.dll.MessageBoxA
user32.dll.SetWindowPos
user32.dll.DestroyWindow
user32.dll.DialogBoxParamA
user32.dll.SetFocus
user32.dll.CreateWindowExA
user32.dll.SendDlgItemMessageA
user32.dll.GetSystemMenu
user32.dll.GetDlgItem
user32.dll.EnableMenuItem
user32.dll.SetWindowLongA
user32.dll.GetWindowLongA
user32.dll.SetDlgItemTextA
user32.dll.LoadCursorA
user32.dll.LoadIconA
user32.dll.GetCursorPos
user32.dll.SetCursor
user32.dll.KillTimer
user32.dll.PtInRect
user32.dll.ScreenToClient
user32.dll.GetClientRect
user32.dll.CallWindowProcA
user32.dll.SetTimer
user32.dll.InvalidateRect
user32.dll.GetSysColorBrush
user32.dll.WindowFromPoint
user32.dll.GetDlgCtrlID
user32.dll.EndDialog
user32.dll.EnableWindow
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
user32.dll.NotifyWinEvent
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetTextExtentExPointWPri

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display

Import Hash: 15492b7407f6f66c8070b94da8f49dc5
Submission	File name	MD5
2019-01-22 03:39:03	RavMGF.exe	1f4e0a8eff5fccf40dc9ee663be6c6b9
2019-01-22 05:21:06	ravnetsky.exe	b1a1a0804764c3ad4eab7238fcd18192

#infosec #automation

TheSystem Itself @ 2022-03-02 11:33:10

Detected family: #Ymacco

TheSystem Itself @ 2022-03-02 11:39:03