VMRay Analyzer Report for Sample #101941
VMRay Analyzer
3.0.2
URI
api.2ip.ua
Resolved_To
Address
77.123.139.189
URI
texet1.ug
Resolved_To
Resolved_To
Address
188.93.127.108
URI
texet2.ug
Resolved_To
Address
185.162.131.70
Process
1
1972
a959.tmp.exe
1116
a959.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Created
Opened
Opened
Process
3
856
icacls.exe
1972
icacls.exe
icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\icacls.exe
Process
4
1292
taskeng.exe
876
taskeng.exe
taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Process
5
1812
a959.tmp.exe
1972
a959.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Process
6
1960
updatewin1.exe
1812
updatewin1.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe
Child_Of
Created
Opened
Opened
Opened
Process
7
1932
updatewin2.exe
1812
updatewin2.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe
Opened
Opened
Opened
Process
8
2044
updatewin1.exe
1960
updatewin1.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" --Admin
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe
Child_Of
Created
Opened
Opened
Opened
Process
9
1972
updatewin.exe
1812
updatewin.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe
Opened
Opened
Opened
Process
10
816
powershell.exe
2044
powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
11
852
5.exe
1812
5.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe
Opened
Opened
Opened
Created
Opened
Opened
Opened
Opened
Process
12
2096
taskeng.exe
876
taskeng.exe
taskeng.exe {1F6180C3-866B-4F21-AF81-C0510D25BC0E} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Child_Of
Process
13
2128
a959.tmp.exe
2096
a959.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --Task
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb\a959.tmp.exe
Process
15
1236
a959.tmp.exe
892
a959.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb\a959.tmp.exe
Opened
Opened
Opened
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb
users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart
REG_EXPAND_SZ
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598
users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598
File
systemid
systemid
c:\
c:\systemid
File
bootsect.bak
bootsect.bak
c:\
c:\bootsect.bak
bak
File
boot\bcd.log
boot\bcd.log
c:\
c:\boot\bcd.log
log
File
boot\bcd.log1
boot\bcd.log1
c:\
c:\boot\bcd.log1
log1
File
boot\bcd.log2
boot\bcd.log2
c:\
c:\boot\bcd.log2
log2
File
boot\memtest.exe
boot\memtest.exe
c:\
c:\boot\memtest.exe
exe
File
boot\cs-cz\bootmgr.exe.mui
boot\cs-cz\bootmgr.exe.mui
c:\
c:\boot\cs-cz\bootmgr.exe.mui
mui
File
boot\da-dk\bootmgr.exe.mui
boot\da-dk\bootmgr.exe.mui
c:\
c:\boot\da-dk\bootmgr.exe.mui
mui
File
boot\de-de\bootmgr.exe.mui
boot\de-de\bootmgr.exe.mui
c:\
c:\boot\de-de\bootmgr.exe.mui
mui
File
boot\el-gr\bootmgr.exe.mui
boot\el-gr\bootmgr.exe.mui
c:\
c:\boot\el-gr\bootmgr.exe.mui
mui
File
boot\en-us\bootmgr.exe.mui
boot\en-us\bootmgr.exe.mui
c:\
c:\boot\en-us\bootmgr.exe.mui
mui
File
boot\en-us\memtest.exe.mui
boot\en-us\memtest.exe.mui
c:\
c:\boot\en-us\memtest.exe.mui
mui
File
boot\es-es\bootmgr.exe.mui
boot\es-es\bootmgr.exe.mui
c:\
c:\boot\es-es\bootmgr.exe.mui
mui
File
boot\fi-fi\bootmgr.exe.mui
boot\fi-fi\bootmgr.exe.mui
c:\
c:\boot\fi-fi\bootmgr.exe.mui
mui
File
boot\fonts\chs_boot.ttf
boot\fonts\chs_boot.ttf
c:\
c:\boot\fonts\chs_boot.ttf
ttf
File
boot\fonts\cht_boot.ttf
boot\fonts\cht_boot.ttf
c:\
c:\boot\fonts\cht_boot.ttf
ttf
File
boot\fonts\jpn_boot.ttf
boot\fonts\jpn_boot.ttf
c:\
c:\boot\fonts\jpn_boot.ttf
ttf
File
boot\fonts\kor_boot.ttf
boot\fonts\kor_boot.ttf
c:\
c:\boot\fonts\kor_boot.ttf
ttf
File
boot\fonts\wgl4_boot.ttf
boot\fonts\wgl4_boot.ttf
c:\
c:\boot\fonts\wgl4_boot.ttf
ttf
File
boot\fr-fr\bootmgr.exe.mui
boot\fr-fr\bootmgr.exe.mui
c:\
c:\boot\fr-fr\bootmgr.exe.mui
mui
File
boot\hu-hu\bootmgr.exe.mui
boot\hu-hu\bootmgr.exe.mui
c:\
c:\boot\hu-hu\bootmgr.exe.mui
mui
File
boot\it-it\bootmgr.exe.mui
boot\it-it\bootmgr.exe.mui
c:\
c:\boot\it-it\bootmgr.exe.mui
mui
File
boot\ja-jp\bootmgr.exe.mui
boot\ja-jp\bootmgr.exe.mui
c:\
c:\boot\ja-jp\bootmgr.exe.mui
mui
File
boot\ko-kr\bootmgr.exe.mui
boot\ko-kr\bootmgr.exe.mui
c:\
c:\boot\ko-kr\bootmgr.exe.mui
mui
File
boot\nb-no\bootmgr.exe.mui
boot\nb-no\bootmgr.exe.mui
c:\
c:\boot\nb-no\bootmgr.exe.mui
mui
File
boot\nl-nl\bootmgr.exe.mui
boot\nl-nl\bootmgr.exe.mui
c:\
c:\boot\nl-nl\bootmgr.exe.mui
mui
File
boot\pl-pl\bootmgr.exe.mui
boot\pl-pl\bootmgr.exe.mui
c:\
c:\boot\pl-pl\bootmgr.exe.mui
mui
File
boot\pt-br\bootmgr.exe.mui
boot\pt-br\bootmgr.exe.mui
c:\
c:\boot\pt-br\bootmgr.exe.mui
mui
File
boot\pt-pt\bootmgr.exe.mui
boot\pt-pt\bootmgr.exe.mui
c:\
c:\boot\pt-pt\bootmgr.exe.mui
mui
File
boot\ru-ru\bootmgr.exe.mui
boot\ru-ru\bootmgr.exe.mui
c:\
c:\boot\ru-ru\bootmgr.exe.mui
mui
File
boot\sv-se\bootmgr.exe.mui
boot\sv-se\bootmgr.exe.mui
c:\
c:\boot\sv-se\bootmgr.exe.mui
mui
File
boot\tr-tr\bootmgr.exe.mui
boot\tr-tr\bootmgr.exe.mui
c:\
c:\boot\tr-tr\bootmgr.exe.mui
mui
File
boot\zh-cn\bootmgr.exe.mui
boot\zh-cn\bootmgr.exe.mui
c:\
c:\boot\zh-cn\bootmgr.exe.mui
mui
File
boot\zh-hk\bootmgr.exe.mui
boot\zh-hk\bootmgr.exe.mui
c:\
c:\boot\zh-hk\bootmgr.exe.mui
mui
File
boot\zh-tw\bootmgr.exe.mui
boot\zh-tw\bootmgr.exe.mui
c:\
c:\boot\zh-tw\bootmgr.exe.mui
mui
File
users\5p5nrgjn0js halpmcxz\ntuser.dat
users\5p5nrgjn0js halpmcxz\ntuser.dat
c:\
c:\users\5p5nrgjn0js halpmcxz\ntuser.dat
dat
File
users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
c:\
c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
exe
File
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
c:\
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
vss
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
SysHelper
1
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
conout$
File
windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
ExecutionPolicy
ExecutionPolicy
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
ExecutionPolicy
ExecutionPolicy
RemoteSigned
REG_SZ
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
Mutex
A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
systemid\personalid.txt
systemid\personalid.txt
c:\
c:\systemid\personalid.txt
txt
File
config.msi\_readme.txt
config.msi\_readme.txt
c:\
c:\config.msi\_readme.txt
txt
File
bootsect.bak
bootsect.bak
c:\
c:\bootsect.bak
bak
File
boot\bcd.log
boot\bcd.log
c:\
c:\boot\bcd.log
log
File
boot\memtest.exe
boot\memtest.exe
c:\
c:\boot\memtest.exe
exe
File
boot\cs-cz\bootmgr.exe.mui
boot\cs-cz\bootmgr.exe.mui
c:\
c:\boot\cs-cz\bootmgr.exe.mui
mui
File
boot\da-dk\bootmgr.exe.mui
boot\da-dk\bootmgr.exe.mui
c:\
c:\boot\da-dk\bootmgr.exe.mui
mui
File
boot\de-de\bootmgr.exe.mui
boot\de-de\bootmgr.exe.mui
c:\
c:\boot\de-de\bootmgr.exe.mui
mui
File
boot\el-gr\bootmgr.exe.mui
boot\el-gr\bootmgr.exe.mui
c:\
c:\boot\el-gr\bootmgr.exe.mui
mui
File
boot\en-us\bootmgr.exe.mui
boot\en-us\bootmgr.exe.mui
c:\
c:\boot\en-us\bootmgr.exe.mui
mui
File
boot\en-us\memtest.exe.mui
boot\en-us\memtest.exe.mui
c:\
c:\boot\en-us\memtest.exe.mui
mui
File
boot\es-es\bootmgr.exe.mui
boot\es-es\bootmgr.exe.mui
c:\
c:\boot\es-es\bootmgr.exe.mui
mui
File
boot\fi-fi\bootmgr.exe.mui
boot\fi-fi\bootmgr.exe.mui
c:\
c:\boot\fi-fi\bootmgr.exe.mui
mui
File
boot\fonts\chs_boot.ttf
boot\fonts\chs_boot.ttf
c:\
c:\boot\fonts\chs_boot.ttf
ttf
File
boot\fonts\cht_boot.ttf
boot\fonts\cht_boot.ttf
c:\
c:\boot\fonts\cht_boot.ttf
ttf
File
boot\fonts\jpn_boot.ttf
boot\fonts\jpn_boot.ttf
c:\
c:\boot\fonts\jpn_boot.ttf
ttf
File
boot\fonts\kor_boot.ttf
boot\fonts\kor_boot.ttf
c:\
c:\boot\fonts\kor_boot.ttf
ttf
File
boot\fonts\wgl4_boot.ttf
boot\fonts\wgl4_boot.ttf
c:\
c:\boot\fonts\wgl4_boot.ttf
ttf
File
boot\fr-fr\bootmgr.exe.mui
boot\fr-fr\bootmgr.exe.mui
c:\
c:\boot\fr-fr\bootmgr.exe.mui
mui
File
boot\hu-hu\bootmgr.exe.mui
boot\hu-hu\bootmgr.exe.mui
c:\
c:\boot\hu-hu\bootmgr.exe.mui
mui
File
boot\it-it\bootmgr.exe.mui
boot\it-it\bootmgr.exe.mui
c:\
c:\boot\it-it\bootmgr.exe.mui
mui
File
boot\ja-jp\bootmgr.exe.mui
boot\ja-jp\bootmgr.exe.mui
c:\
c:\boot\ja-jp\bootmgr.exe.mui
mui
File
boot\ko-kr\bootmgr.exe.mui
boot\ko-kr\bootmgr.exe.mui
c:\
c:\boot\ko-kr\bootmgr.exe.mui
mui
File
boot\nb-no\bootmgr.exe.mui
boot\nb-no\bootmgr.exe.mui
c:\
c:\boot\nb-no\bootmgr.exe.mui
mui
File
boot\nl-nl\bootmgr.exe.mui
boot\nl-nl\bootmgr.exe.mui
c:\
c:\boot\nl-nl\bootmgr.exe.mui
mui
File
boot\pl-pl\bootmgr.exe.mui
boot\pl-pl\bootmgr.exe.mui
c:\
c:\boot\pl-pl\bootmgr.exe.mui
mui
File
boot\pt-br\bootmgr.exe.mui
boot\pt-br\bootmgr.exe.mui
c:\
c:\boot\pt-br\bootmgr.exe.mui
mui
File
boot\pt-pt\bootmgr.exe.mui
boot\pt-pt\bootmgr.exe.mui
c:\
c:\boot\pt-pt\bootmgr.exe.mui
mui
File
boot\ru-ru\bootmgr.exe.mui
boot\ru-ru\bootmgr.exe.mui
c:\
c:\boot\ru-ru\bootmgr.exe.mui
mui
File
boot\sv-se\bootmgr.exe.mui
boot\sv-se\bootmgr.exe.mui
c:\
c:\boot\sv-se\bootmgr.exe.mui
mui
File
boot\tr-tr\bootmgr.exe.mui
boot\tr-tr\bootmgr.exe.mui
c:\
c:\boot\tr-tr\bootmgr.exe.mui
mui
File
boot\zh-cn\bootmgr.exe.mui
boot\zh-cn\bootmgr.exe.mui
c:\
c:\boot\zh-cn\bootmgr.exe.mui
mui
File
boot\zh-hk\bootmgr.exe.mui
boot\zh-hk\bootmgr.exe.mui
c:\
c:\boot\zh-hk\bootmgr.exe.mui
mui
File
boot\zh-tw\bootmgr.exe.mui
boot\zh-tw\bootmgr.exe.mui
c:\
c:\boot\zh-tw\bootmgr.exe.mui
mui
File
users\5p5nrgjn0js halpmcxz\ntuser.dat
users\5p5nrgjn0js halpmcxz\ntuser.dat
c:\
c:\users\5p5nrgjn0js halpmcxz\ntuser.dat
dat
File
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
search-ms
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
Analyzed Sample #101941
Malware Artifacts
101941
Sample-ID: #101941
Job-ID: #252392
This sample was analyzed by VMRay Analyzer 3.0.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.3
Metadata of Sample File #101941
Submission-ID: #153282
045266622416793cd2d5e7617d27a6c9b7fd542dcd3a18dff928b554277791b7exe
MD5
3f44e8dde637b81989df3d607fb58526
SHA1
c009f46b4b7db702da474e66760b3ecd02060f3a
SHA256
045266622416793cd2d5e7617d27a6c9b7fd542dcd3a18dff928b554277791b7
Opened_By
Metadata of Analysis for Job-ID #252392
True
Timeout
True
266.722
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Process
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_registry
Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart" to Windows startup via registry.
Installs system startup script or application
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "icacls" starts with hidden window.
Creates process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
Creates system object
File System
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Modifies operating system directory
Network
VTI rule match with VTI rule score 4/5
vmray_modify_network_configuration_by_file
Modifies the host.conf file, probably to redirect network traffic.
Modifies network configuration
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "powershell" starts with hidden window.
Creates process with hidden window
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_read_machine_guid
Reads the cryptographic machine GUID from registry.
Reads system data
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
Creates system object
File System
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
File System
VTI rule match with VTI rule score 4/5
vmray_rename_user_files
Renames multiple user files. This is an indicator for an encryption attempt.
Renames user files
File System
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates an unusually large number of files.
Creates an unusually large number of files
File System
VTI rule match with VTI rule score 3/5
vmray_drop_ransom_note_files
Possibly drops ransom note files (creates 28 instances of the file "_readme.txt" in different locations).
Possibly drops ransom note files
Process
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_delay_by_scheduled_task_delayed
Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
Delays execution
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKD.41435343".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" as "Trojan.GenericKD.31534187".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe" as "Trojan.AgentWDCR.SUF".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the modified file "C:\Windows\System32\drivers\etc\hosts" as "Gen:Trojan.Qhost.1".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe" as "Trojan.GenericKD.41330912".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "a959.tmp.exe" as "Generic.Ransom.Stop.BD490148".
Malicious content was detected by heuristic scan
Network
VTI rule match with VTI rule score 1/5
vmray_download_file_by_http
Downloads file via http from "http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291".
Downloads file
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http
Downloads executable via http from "http://texet2.ug/tesptc/penelop/updatewin1.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http
Downloads executable via http from "http://texet2.ug/tesptc/penelop/updatewin2.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http
Downloads executable via http from "http://texet2.ug/tesptc/penelop/updatewin.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http
Downloads executable via http from "http://texet2.ug/tesptc/penelop/5.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet2.ug/tesptc/penelop/updatewin1.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet2.ug/tesptc/penelop/updatewin2.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet2.ug/tesptc/penelop/updatewin.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet2.ug/tesptc/penelop/3.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet2.ug/tesptc/penelop/4.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet2.ug/tesptc/penelop/5.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "https://api.2ip.ua/geo.json".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291&first=true".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "texet2.ug/1/index.php".
Connects to HTTP server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://texet2.ug/tesptc/penelop/updatewin1.exe" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://texet2.ug/tesptc/penelop/updatewin2.exe" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://texet2.ug/tesptc/penelop/updatewin.exe" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://texet2.ug/tesptc/penelop/3.exe" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://texet2.ug/tesptc/penelop/4.exe" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://texet2.ug/tesptc/penelop/5.exe" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "texet2.ug/1/index.php" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "texet2.ug" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 2/5
vmray_known_malicious_url_embedded
URL "http://texet2.ug/tesptc/penelop/5.exe" embedded in file "analysis.pcap" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 2/5
vmray_known_malicious_url_embedded
URL "http://texet2.ug/tesptc/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 2/5
vmray_known_malicious_url_embedded
URL "http://texet2.ug/tesptc/penelop/4.exe" embedded in file "analysis.pcap" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 2/5
vmray_known_malicious_url_embedded
URL "http://texet2.ug/tesptc/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 2/5
vmray_known_malicious_url_embedded
URL "http://texet2.ug/tesptc/penelop/3.exe" embedded in file "analysis.pcap" is a known malicious URL.
Known malicious URL
Reputation
VTI rule match with VTI rule score 2/5
vmray_known_malicious_url_embedded
URL "http://texet2.ug/tesptc/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
Known malicious URL