VMRay Analyzer Report for Sample #1355624
VMRay Analyzer
3.2.2
Process
1
4288
mfo4ed9hfrpsso4o.exe
1376
mfo4ed9hfrpsso4o.exe
"C:\Users\FD1HVy\Desktop\mFO4ED9hfrpsSO4O.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe
Child_Of
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
6
3704
mfo4ed9hfrpsso4o.exe
4288
mfo4ed9hfrpsso4o.exe
"{path}"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe
Child_Of
Process
7
1376
explorer.exe
18446744073709551615
explorer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\
c:\windows\explorer.exe
Child_Of
Created
Created
Process
8
3932
netsh.exe
1376
netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\WINDOWS\system32\
c:\windows\syswow64\netsh.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Process
9
4864
cmd.exe
3932
cmd.exe
/c copy "C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\FD1HVy\AppData\Local\Temp\DB1" /V
C:\WINDOWS\system32\
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Process
12
2736
3dftp.exe
1376
3dftp.exe
"C:\Program Files (x86)\Windows Sidebar\3dftp.exe"
C:\Program Files (x86)\Windows Sidebar\
c:\program files (x86)\windows sidebar\3dftp.exe
Process
13
96
absolutetelnet.exe
1376
absolutetelnet.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\absolutetelnet.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\
c:\program files (x86)\mozilla maintenance service\absolutetelnet.exe
Process
14
2960
alftp.exe
1376
alftp.exe
"C:\Program Files\Windows Mail\alftp.exe"
C:\Program Files\Windows Mail\
c:\program files\windows mail\alftp.exe
Process
15
3296
barca.exe
1376
barca.exe
"C:\Program Files\WindowsPowerShell\barca.exe"
C:\Program Files\WindowsPowerShell\
c:\program files\windowspowershell\barca.exe
Process
16
3528
bitkinex.exe
1376
bitkinex.exe
"C:\Program Files\Windows Photo Viewer\bitkinex.exe"
C:\Program Files\Windows Photo Viewer\
c:\program files\windows photo viewer\bitkinex.exe
Process
17
3512
coreftp.exe
1376
coreftp.exe
"C:\Program Files (x86)\Windows Sidebar\coreftp.exe"
C:\Program Files (x86)\Windows Sidebar\
c:\program files (x86)\windows sidebar\coreftp.exe
Process
18
1772
far.exe
1376
far.exe
"C:\Program Files (x86)\Reference Assemblies\far.exe"
C:\Program Files (x86)\Reference Assemblies\
c:\program files (x86)\reference assemblies\far.exe
Process
19
1752
filezilla.exe
1376
filezilla.exe
"C:\Program Files\Common Files\filezilla.exe"
C:\Program Files\Common Files\
c:\program files\common files\filezilla.exe
Process
20
2708
flashfxp.exe
1376
flashfxp.exe
"C:\Program Files\Reference Assemblies\flashfxp.exe"
C:\Program Files\Reference Assemblies\
c:\program files\reference assemblies\flashfxp.exe
Process
21
3592
fling.exe
1376
fling.exe
"C:\Program Files (x86)\WindowsPowerShell\fling.exe"
C:\Program Files (x86)\WindowsPowerShell\
c:\program files (x86)\windowspowershell\fling.exe
Process
22
3256
gmailnotifierpro.exe
1376
gmailnotifierpro.exe
"C:\Program Files (x86)\Windows Defender\gmailnotifierpro.exe"
C:\Program Files (x86)\Windows Defender\
c:\program files (x86)\windows defender\gmailnotifierpro.exe
Process
23
2668
icq.exe
1376
icq.exe
"C:\Program Files\WindowsPowerShell\icq.exe"
C:\Program Files\WindowsPowerShell\
c:\program files\windowspowershell\icq.exe
Process
24
724
leechftp.exe
1376
leechftp.exe
"C:\Program Files (x86)\Internet Explorer\leechftp.exe"
C:\Program Files (x86)\Internet Explorer\
c:\program files (x86)\internet explorer\leechftp.exe
Process
25
952
ncftp.exe
1376
ncftp.exe
"C:\Program Files\Windows Defender Advanced Threat Protection\ncftp.exe"
C:\Program Files\Windows Defender Advanced Threat Protection\
c:\program files\windows defender advanced threat protection\ncftp.exe
Process
26
3564
notepad.exe
1376
notepad.exe
"C:\Program Files (x86)\Microsoft.NET\notepad.exe"
C:\Program Files (x86)\Microsoft.NET\
c:\program files (x86)\microsoft.net\notepad.exe
Process
27
1700
operamail.exe
1376
operamail.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\operamail.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\
c:\program files (x86)\mozilla maintenance service\operamail.exe
Process
28
1976
outlook.exe
1376
outlook.exe
"C:\Program Files (x86)\Windows Sidebar\outlook.exe"
C:\Program Files (x86)\Windows Sidebar\
c:\program files (x86)\windows sidebar\outlook.exe
Process
29
132
pidgin.exe
1376
pidgin.exe
"C:\Program Files\WindowsPowerShell\pidgin.exe"
C:\Program Files\WindowsPowerShell\
c:\program files\windowspowershell\pidgin.exe
Process
30
3804
scriptftp.exe
1376
scriptftp.exe
"C:\Program Files (x86)\WindowsPowerShell\scriptftp.exe"
C:\Program Files (x86)\WindowsPowerShell\
c:\program files (x86)\windowspowershell\scriptftp.exe
Mutex
dgykghSf
Mutex
dgykghSf
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE
WinRegistryKey
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE
Identifier
Identifier
WinRegistryKey
HARDWARE\Description\System
HKEY_LOCAL_MACHINE
SystemBiosVersion
SystemBiosVersion
WinRegistryKey
HARDWARE\Description\System
HKEY_LOCAL_MACHINE
VideoBiosVersion
WinRegistryKey
SOFTWARE\Oracle\VirtualBox Guest Additions
HKEY_LOCAL_MACHINE
WinRegistryKey
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE
Identifier
Identifier
WinRegistryKey
SOFTWARE\VMware, Inc.\VMware Tools
HKEY_LOCAL_MACHINE
WinRegistryKey
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE
WinRegistryKey
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\ControlSet001\Services\Disk\Enum
HKEY_LOCAL_MACHINE
0
0
WinRegistryKey
SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
HKEY_LOCAL_MACHINE
DriverDesc
DriverDesc
WinRegistryKey
SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings
HKEY_LOCAL_MACHINE
Device Description
Device Description
WinRegistryKey
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE
Identifier
Identifier
WinRegistryKey
HARDWARE\Description\System
HKEY_LOCAL_MACHINE
SystemBiosVersion
SystemBiosVersion
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE
WMIDisableCOMSecurity
Mutex
S-1-5-21-1051304-1376254591059
Mutex
310A-4BA29U3JAIZ
Mutex
-6NBP70TX9468WZz
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\00568502698af0439be8841b68034dfb
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\218578a43d628c44a10b99677e0ac26d
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\359319914d3d374fbfb59d68dc930dae
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\639e40e39678b140ba542215785646ac
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\82926373c8be9c41a6f55990abdb6a7a
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\db257a828627ae4aa57a2e41ad166870
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f7a20347e930b94fadcc6ece7cd55c43
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\
HKEY_USERS
WinRegistryKey
S-1-5-21-1051304884-625712362-2192934891-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_USERS
WinRegistryKey
SOFTWARE\Mozilla\Mozilla Firefox\
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Mozilla\Mozilla Thunderbird\
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
Analyzed Sample #1355624
Malware Artifacts
1355624
Sample-ID: #1355624
Job-ID: #3973792
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 10 Redstone 2 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1355624
Submission-ID: #5069959
72cca77c38132f30a09c57d24815d52ec3d5bb48c19415f52b7a38190b92d17fexe
MD5
51a292587a2d735306afb24d54002ba5
SHA1
c22a6a4cefcd2fe4c06a4244dce0c13bcf63d269
SHA256
72cca77c38132f30a09c57d24815d52ec3d5bb48c19415f52b7a38190b92d17f
Opened_By
Metadata of Analysis for Job-ID #3973792
False
Timeout
True
240.023
NQDPDE
win10_64_rs2
x86 64-bit
Windows 10 Redstone 2
10.0.15063.540 (f6f48955-5489-4b24-b4df-942361f0730d)
FD1HVy
NQDPDE
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "CheckRemoteDebuggerPresent".
Tries to detect debugger
Discovery
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "IsDebuggerPresent".
Tries to detect debugger
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "dgykghSf".
Creates mutex
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_generic_vm_by_registry
Reads out system information, commonly used to detect "VirtualBox" via registry. (Key is "HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions").
Tries to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_generic_vm_by_registry
Reads out system information, commonly used to detect "VMware" via registry. (Key is "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools").
Tries to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_wine_by_getprocaddress
Tries to detect "wine" by calling GetProcAddress() on "wine_get_unix_file_name".
Tries to detect application sandbox
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_application_sandbox_by_dll
Tries to detect "Sandboxie" by checking for existence of module "SbieDll.dll".
Tries to detect application sandbox
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Users\FD1HVy\Desktop\mFO4ED9hfrpsSO4O.exe" starts with hidden window.
Creates process with hidden window
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" reads from "C:\Users\FD1HVy\Desktop\mFO4ED9hfrpsSO4O.exe".
Reads from memory of another process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Creates a page with write and execute permissions
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "\??\C:\WINDOWS\SYSTEM32\ntdll.dll" in the OS directory.
Modifies operating system directory
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_kernel_debugger_by_api
Check via API "NtQuerySystemInformation".
Tries to detect kernel debugger
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "NtQueryInformationProcess".
Tries to detect debugger
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Windows\SysWOW64\dwm.exe" starts with hidden window.
Creates process with hidden window
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Windows\SysWOW64\netsh.exe" starts with hidden window.
Creates process with hidden window
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" reads from "c:\windows\explorer.exe".
Reads from memory of another process
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "\??\C:\Windows\SysWOW64\netsh.exe" in the OS directory.
Modifies operating system directory
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" reads from "c:\windows\syswow64\netsh.exe".
Reads from memory of another process
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "310A-4BA29U3JAIZ".
Creates mutex
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "-6NBP70TX9468WZz".
Creates mutex
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "\??\C:\WINDOWS\System32\drivers\etc\hosts" in the OS directory.
Modifies operating system directory
Discovery
VTI rule match with VTI rule score 3/5
vmray_read_hosts_file
Reads the current network configuration through the host.conf file.
Reads network configuration
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_registry
Tries to gather information about application "Mozilla Firefox" by registry.
Possibly does reconnaissance
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Tries to gather information about application "Mozilla Firefox" by file.
Possibly does reconnaissance
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "\??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "\??\C:\Program Files\Mozilla Firefox\Firefox.exe".
Modifies application directory
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Google Chrome" by file.
Reads sensitive browser data
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Windows\SysWOW64\cmd.exe" starts with hidden window.
Creates process with hidden window
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Opera" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_vaulted_ie_creds_by_api
Trying to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
Reads sensitive browser data
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "S-1-5-21-1051304-1376254591059".
Creates mutex
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\windows sidebar\3dftp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\windows sidebar\3dftp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\mozilla maintenance service\absolutetelnet.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\mozilla maintenance service\absolutetelnet.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\windows mail\alftp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\windows mail\alftp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\windowspowershell\barca.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\windowspowershell\barca.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\windows photo viewer\bitkinex.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\windows photo viewer\bitkinex.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\windows sidebar\coreftp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\windows sidebar\coreftp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\reference assemblies\far.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\reference assemblies\far.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\common files\filezilla.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\common files\filezilla.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\reference assemblies\flashfxp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\reference assemblies\flashfxp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\windowspowershell\fling.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\windowspowershell\fling.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\windows defender\gmailnotifierpro.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\windows defender\gmailnotifierpro.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\windowspowershell\icq.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\windowspowershell\icq.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\internet explorer\leechftp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\internet explorer\leechftp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\windows defender advanced threat protection\ncftp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\windows defender advanced threat protection\ncftp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\microsoft.net\notepad.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\microsoft.net\notepad.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\mozilla maintenance service\operamail.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\mozilla maintenance service\operamail.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\windows sidebar\outlook.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\windows sidebar\outlook.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\windowspowershell\pidgin.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\windowspowershell\pidgin.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files (x86)\windowspowershell\scriptftp.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files (x86)\windowspowershell\scriptftp.exe".
Reads from memory of another process
Data Collection
VTI rule match with VTI rule score 4/5
vmray_read_memory_of_user_proc
Reads memory of process c:\program files\mozilla firefox\skype.exe.
Reads memory of user process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\syswow64\netsh.exe" reads from "c:\program files\mozilla firefox\skype.exe".
Reads from memory of another process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtQuerySystemInformation".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtQueryInformationProcess".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtAllocateVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtFreeVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtOpenProcessToken".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtAdjustPrivilegesToken".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtClose".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtCreateSection".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtMapViewOfSection".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtOpenProcess".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtQueryInformationToken".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtProtectVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtCreateFile".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtQueryInformationFile".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtDelayExecution".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtReadVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtOpenThread".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtReadFile".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtUnmapViewOfSection".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtResumeThread".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtOpenDirectoryObject".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtCreateMutant".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtSetInformationFile".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtCreateKey".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtQueryValueKey".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtWriteFile".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtEnumerateKey".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtEnumerateValueKey".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtWaitForSingleObject".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtSuspendThread".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtGetContextThread".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtSetContextThread".
Makes direct system call to possibly evade hooking based sandboxes
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKDZ.70241".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "mfo4ed9hfrpsso4o.exe" as "Gen:Variant.Babar.21405".
Malicious content was detected by heuristic scan
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" modifies memory of "c:\windows\explorer.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\windows\explorer.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" modifies memory of "c:\windows\syswow64\netsh.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\windows sidebar\3dftp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\mozilla maintenance service\absolutetelnet.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\windows mail\alftp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\windowspowershell\barca.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\windows photo viewer\bitkinex.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\windows sidebar\coreftp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\reference assemblies\far.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\common files\filezilla.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\reference assemblies\flashfxp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\windowspowershell\fling.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\windows defender\gmailnotifierpro.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\windowspowershell\icq.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\internet explorer\leechftp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\windows defender advanced threat protection\ncftp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\microsoft.net\notepad.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\mozilla maintenance service\operamail.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\windows sidebar\outlook.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files\windowspowershell\pidgin.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_memory_system
"c:\windows\syswow64\netsh.exe" modifies memory of "c:\program files (x86)\windowspowershell\scriptftp.exe".
Writes into the memory of another running process
Injection
VTI rule match with VTI rule score 2/5
vmray_modify_memory
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" modifies memory of "c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe".
Writes into the memory of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" alters context of "c:\windows\explorer.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\windows\explorer.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\windows sidebar\3dftp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\mozilla maintenance service\absolutetelnet.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\windows mail\alftp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\windowspowershell\barca.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\windows photo viewer\bitkinex.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\windows sidebar\coreftp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\reference assemblies\far.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\common files\filezilla.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\reference assemblies\flashfxp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\windowspowershell\fling.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\windows defender\gmailnotifierpro.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\windowspowershell\icq.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\internet explorer\leechftp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\windows defender advanced threat protection\ncftp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\microsoft.net\notepad.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\mozilla maintenance service\operamail.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\windows sidebar\outlook.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files\windowspowershell\pidgin.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 4/5
vmray_modify_control_flow_system
"c:\windows\syswow64\netsh.exe" alters context of "c:\program files (x86)\windowspowershell\scriptftp.exe".
Modifies control flow of another process
Injection
VTI rule match with VTI rule score 2/5
vmray_modify_control_flow_non_system
"c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe" alters context of "c:\users\fd1hvy\desktop\mfo4ed9hfrpsso4o.exe".
Modifies control flow of a process running from a created or modified executable
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "FormBook" from ruleset "Malware" has matched on the extracted function string file "function_strings_process_8.txt".
Malicious content matched by YARA rules