00ac3af5...b31c | VMRay Analyzer Report
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Wiper

1.exe

Windows Exe (x86-32)

Created at 2019-07-04T17:39:00

...

Remarks (1/1)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

VMRay Threat Indicators (11 rules, 222 matches)

Severity Category Operation Count Classification
5/5
File System Encrypts content of user files 1 Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
    ...
5/5
Local AV Malicious content was detected by heuristic scan 1 -
4/5
OS Modifies Windows automatic backups 1 -
1/5
Process Creates system object 2 -
  • Creates mutex with name "Global\0115B419773000".
    ...
  • Creates mutex with name "Global\0115B419773001".
    ...
1/5
Process Creates process with hidden window 2 -
  • The process "C:\Users\FD1HVy\Desktop\1.exe" starts with hidden window.
    ...
  • The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window.
    ...
1/5
Persistence Installs system startup script or application 3 -
  • Adds "C:\Users\FD1HVy\AppData\Local\1.exe" to Windows startup via registry.
    ...
  • Adds "c:\users\fd1hvy\appdata\roaming\microsoft\windows\start menu\programs\startup\1.exe" to Windows startup folder.
    ...
  • Adds "c:\programdata\microsoft\windows\start menu\programs\startup\1.exe" to Windows startup folder.
    ...
1/5
Masquerade Changes folder appearance 4 -
  • Folder "c:\$recycle.bin\s-1-5-18" has a changed appearance.
    ...
  • Folder "c:\$recycle.bin\s-1-5-21-1051304884-625712362-2192934891-1000" has a changed appearance.
    ...
  • Folder "c:\program files\common files\microsoft shared\stationery" has a changed appearance.
    ...
  • Folder "c:\program files" has a changed appearance.
    ...
1/5
File System Modifies application directory 202 -
  • Modifies "c:\program files\windowsapps\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\configuration\configuration.sqlite".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-localization-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-processthreads-l1-1-1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-timezone-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-xstate-l2-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-conio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-convert-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-synch-l1-2-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-filesystem-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-heap-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-locale-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-math-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-environment-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-private-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-process-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-runtime-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-stdio-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-multibyte-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-time-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-utility-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvcleaner.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-string-l1-1-0.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvisvstream32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvscripting.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\c2r32.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l2-1-0.dll".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-timezone-l1-1-0.dll".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvisvstream64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\appvshnotify.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\c2r64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\c2rui.en-us.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\concrt140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\i640.hash.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\i641033.hash.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\c2rheartbeatconfig.xml.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\mavinject32.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\integratedoffice.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\msointl30.en-us.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\officeupdateschedule.xml.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\servicewatcherschedule.xml.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\officec2rcom.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\ucrtbase.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\vccorlib140.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\office16\liclua.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\office16\office setup controller\pkeyconfig-office.xrm-ms.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\office16\office setup controller\pidgenx.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\office16\office setup controller\pkeyconfig.companion.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\stationery\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\source engine\ose.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vc\msdia90.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vc\msdia100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\1033\vstoinstallerui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\1033\vstoloaderui.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\vstoinstaller.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\vstomessageprovider.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\vstoee.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\vstoee100.tlb.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\vstoloader.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\common files\system\ado\msadrh15.dll".
    ...
  • Modifies "c:\program files\desktop.ini.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\internet explorer\boating.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\awt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\internet explorer\signup\install.ins.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\bci.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\dcpr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\decora_sse.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\deploy.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\dtplugin\deployjava1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\dtplugin\npdeployjava1.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\dt_shmem.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\eula.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\fontmanager.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\dt_socket.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\glass.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\fxplugins.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\gstreamer-lite.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\glib-lite.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\hprof.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\instrument.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\j2pcsc.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\j2pkcs11.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jabswitch.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\java-rmi.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\java.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\java.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jaas_nt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javaaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javacpl.cpl.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javacpl.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javafx_font.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javafx_iio.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javaw.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javaws.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\javafx_font_t2k.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jawt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\java_crw_demo.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jdwp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jfr.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jfxmedia.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jawtaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jjs.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jli.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jp2iexp.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\windowsapps\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\configuration\configuration.sqlite".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jp2launcher.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jp2ssv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jpeg.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jp2native.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jsound.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jsoundds.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\kcms.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\keytool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\jsdt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\kinit.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\klist.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\ktab.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\lcms.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\management.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\mlib_image.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\msvcr100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\msvcp120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\net.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\nio.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\npt.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\orbd.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\msvcr120.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\pack200.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\plugin2\npjp2.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\policytool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\prism_common.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\prism_d3d.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\plugin2\msvcr100.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\prism_sw.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\rmid.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\rmiregistry.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\resource.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\server\jvm.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\server\classes.jsa.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\servertool.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\splashscreen.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\server\xusage.txt.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\ssvagent.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\sunec.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\sunmscapi.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\t2k.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\ssv.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\tnameserv.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\unpack200.exe.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\verify.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\w2k_lsa_auth.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\unpack.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\wsdetect.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\zip.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\copyright.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\accessibility.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\bin\windowsaccessbridge-64.dll.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\calendars.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\charsets.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\amd64\jvm.cfg.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\classlist.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\cmm\ciexyz.pf.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\cmm\gray.pf.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\cmm\linear_rgb.pf.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\cmm\srgb.pf.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\cmm\pycc.pf.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\currency.data.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\ffjcext.zip.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_de.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\content-types.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_fr.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_it.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_ja.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_ko.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_pt_br.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_sv.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_es.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_zh_hk.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\messages_zh_tw.properties.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash.gif.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash@2x.gif.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash_11-lic.gif.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy.jar".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\ext\access-bridge-64.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\deploy.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\ext\cldrdata.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\ext\jaccess.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\ext\dnsns.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\ext\localedata.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
  • Modifies "c:\program files\java\jre1.8.0_144\lib\ext\jfxrt.jar.id[b4197730-0115].[fileisafe@tuta.io].actin".
    ...
1/5
Process Reads from memory of another process 4 -
  • "c:\windows\system32\cmd.exe" reads from "C:\WINDOWS\system32\vssadmin.exe".
    ...
  • "c:\windows\system32\cmd.exe" reads from "C:\WINDOWS\system32\netsh.exe".
    ...
  • "c:\windows\system32\cmd.exe" reads from "C:\WINDOWS\System32\Wbem\WMIC.exe".
    ...
  • "c:\windows\system32\cmd.exe" reads from "C:\WINDOWS\system32\bcdedit.exe".
    ...
1/5
File System Creates an unusually large number of files 1 -
0/5
Process Enumerates running processes 1 -

Screenshots

Monitored Processes

Process Graph

Process Graph Legend

Sample Information

ID #98839
MD5 2ab38a18e49cce095d672abfaa210cf6 Copy to Clipboard
SHA1 ea07f27bff4c4706a84f723e3e75b1e47f9d8196 Copy to Clipboard
SHA256 00ac3af56227e8ed3df43457297c72e2f91ad04fb1c7553df377ed7f8875b31c Copy to Clipboard
SSDeep 1536:mkGB8nHbKUvryElSpi8jCZGcqDKlKnr8d7kuggk9TdoRH:mFBMHRvrAjCZmKcnr8w/i Copy to Clipboard
ImpHash e6984e72559f94ba7deb365bcd2bee8a Copy to Clipboard
Filename 1.exe
File Size 67.00 KB
Sample Type Windows Exe (x86-32)

Analysis Information

Creation Time 2019-07-04 19:39 (UTC+2)
Analysis Duration 00:02:36
Number of Monitored Processes 16
Execution Successful True
Reputation Enabled True
WHOIS Enabled False
Local AV Enabled True
YARA Enabled True
Number of AV Matches 1
Number of YARA Matches 0
Termination Reason Maximum binlog size reached
Tags
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image