VMRay Analyzer Report for Sample #560905
VMRay Analyzer
3.2.2
URI
mzrevenge.ga
Resolved_To
Address
128.127.106.29
URI
api.db-ip.com
Resolved_To
Resolved_To
Address
104.26.4.15
Address
104.26.5.15
URI
api.ipify.org
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Address
184.73.185.65
Address
174.129.223.190
Address
54.243.147.226
Address
54.225.66.103
Address
54.243.186.202
Address
54.225.139.71
Address
184.73.165.106
Address
54.225.71.235
URI
nagano-19599.herokussl.com
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
URI
elb097307-934924932.us-east-1.elb.amazonaws.com
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Resolved_To
Process
1
2908
ausmwsjhplkbv4ai.exe
1108
ausmwsjhplkbv4ai.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\aUsMWsjhpLkBV4ai.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\ausmwsjhplkbv4ai.exe
Child_Of
Created
Opened
Process
2
2696
cmd.exe
2908
cmd.exe
"cmd.exe" /C C:\Windows\svchost.exe
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\system32\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
3
2940
svchost.exe
2696
svchost.exe
C:\Windows\svchost.exe
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\svchost.exe
Child_Of
Child_Of
Child_Of
Child_Of
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Created
Created
Created
Read_From
Read_From
Read_From
Process
4
196
cmd.exe
2940
cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
5
448
cmd.exe
2940
cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Process
6
1948
sc.exe
196
sc.exe
sc config "AppCheck" start=disabled
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\sc.exe
Process
7
980
powershell.exe
2940
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
8
1728
vssadmin.exe
448
vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\vssadmin.exe
Child_Of
Process
9
2188
vssvc.exe
472
vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\
c:\windows\system32\vssvc.exe
Process
11
1252
wmic.exe
448
wmic.exe
wmic shadowcopy delete
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\wbem\wmic.exe
Opened
Process
16
868
notepad.exe
2940
notepad.exe
"C:\Windows\system32\NOTEPAD.EXE" C:\How Do I Recover My Files (Readme).txt
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\notepad.exe
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE
ConsentPromptBehaviorAdmin
ConsentPromptBehaviorUser
dontdisplaylastusername
EnableInstallerDetection
EnableLUA
EnableSecureUIAPaths
EnableUIADesktopToggle
EnableVirtualization
FilterAdministratorToken
legalnoticecaption
legalnoticetext
PromptOnSecureDesktop
scforceoption
shutdownwithoutlogon
undockwithoutlogon
ValidateAdminCodeSignatures
ConsentPromptBehaviorAdmin
5
REG_DWORD_LITTLE_ENDIAN
ConsentPromptBehaviorUser
3
REG_DWORD_LITTLE_ENDIAN
dontdisplaylastusername
0
REG_DWORD_LITTLE_ENDIAN
EnableInstallerDetection
1
REG_DWORD_LITTLE_ENDIAN
EnableLUA
0
REG_DWORD_LITTLE_ENDIAN
EnableSecureUIAPaths
1
REG_DWORD_LITTLE_ENDIAN
EnableUIADesktopToggle
5
REG_DWORD_LITTLE_ENDIAN
EnableVirtualization
1
REG_DWORD_LITTLE_ENDIAN
FilterAdministratorToken
0
REG_DWORD_LITTLE_ENDIAN
legalnoticecaption
REG_SZ
legalnoticetext
REG_SZ
PromptOnSecureDesktop
1
REG_DWORD_LITTLE_ENDIAN
scforceoption
0
REG_DWORD_LITTLE_ENDIAN
shutdownwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
undockwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
ValidateAdminCodeSignatures
0
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
Mutex
OneCopyMutex
WinRegistryKey
Software\Embarcadero\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\Embarcadero\Locales
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\CodeGear\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\CodeGear\Locales
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Borland\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\Borland\Delphi\Locales
HKEY_CURRENT_USER
WinRegistryKey
HKEY_CLASSES_ROOT
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE
ConsentPromptBehaviorAdmin
5
REG_DWORD_LITTLE_ENDIAN
ConsentPromptBehaviorUser
3
REG_DWORD_LITTLE_ENDIAN
dontdisplaylastusername
0
REG_DWORD_LITTLE_ENDIAN
EnableInstallerDetection
1
REG_DWORD_LITTLE_ENDIAN
EnableLUA
0
REG_DWORD_LITTLE_ENDIAN
EnableSecureUIAPaths
1
REG_DWORD_LITTLE_ENDIAN
EnableUIADesktopToggle
5
REG_DWORD_LITTLE_ENDIAN
EnableVirtualization
1
REG_DWORD_LITTLE_ENDIAN
FilterAdministratorToken
0
REG_DWORD_LITTLE_ENDIAN
legalnoticecaption
REG_SZ
legalnoticetext
REG_SZ
PromptOnSecureDesktop
1
REG_DWORD_LITTLE_ENDIAN
scforceoption
0
REG_DWORD_LITTLE_ENDIAN
shutdownwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
undockwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
ValidateAdminCodeSignatures
0
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE
DisableAntiSpyware
1
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE
TamperProtection
0
REG_DWORD_LITTLE_ENDIAN
DNSRecord
mzrevenge.ga
DNSRecord
api.ipify.org
DNSRecord
api.db-ip.com
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE
Logging
Logging Directory
Logging Directory
Log File Max Size
Analyzed Sample #560905
Malware Artifacts
560905
Sample-ID: #560905
Job-ID: #1450018
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #560905
Submission-ID: #3886381
068ee14069f2ab33fe4abbe80b94fd0df12f597ea020f7ae4a23a8ca738fe4b7exe
MD5
16f184f3cc988917079f7bdc750ae7ef
SHA1
b245e9388282209c17442c38ea4668d2798b2651
SHA256
068ee14069f2ab33fe4abbe80b94fd0df12f597ea020f7ae4a23a8ca738fe4b7
Opened_By
Metadata of Analysis for Job-ID #1450018
True
Timeout
True
240.003
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Defense Evasion
VTI rule match with VTI rule score 5/5
vmray_disable_uac_dialog_by_registry
Disables UAC dialog by registry.
Bypasses Windows User Account Control (UAC)
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\Windows\svchost.exe" in the OS directory.
Modifies operating system directory
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "cmd.exe" starts with hidden window.
Creates process with hidden window
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "OneCopyMutex".
Creates mutex
Discovery
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "powershell.exe" starts with hidden window.
Creates process with hidden window
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\Windows\System32\drivers\etc\host" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 3/5
vmray_disable_startup_repair
Disables startup repair by executing ""C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet".
Disables a Windows system tool
Network Connection
VTI rule match with VTI rule score 1/5
vmray_request_dns_by_name
Resolves host name "mzrevenge.ga".
Performs DNS request
Discovery
VTI rule match with VTI rule score 1/5
vmray_get_network_stats_by_api
Gets network statistics by API.
Tries to get network statistics
Network Connection
VTI rule match with VTI rule score 1/5
vmray_request_dns_by_name
Resolves host name "api.ipify.org".
Performs DNS request
Network Connection
VTI rule match with VTI rule score 1/5
vmray_request_dns_by_name
Resolves host name "api.db-ip.com".
Performs DNS request
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_rename_user_files
Renames multiple user files. This is an indicator for an encryption attempt.
Renames user files
Execution
VTI rule match with VTI rule score 4/5
vmray_execute_encoded_powershell_script
Executes encoded PowerShell script to possibly hide malicious payload.
Executes encoded PowerShell script
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_windows_backup_settings
Deletes Windows volume shadow copies.
Modifies Windows automatic backups
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the dropped file "C:\Windows\svchost.exe" as "Gen:Trojan.Heur.bnuar8ymEFli".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "svchost.exe" as "Gen:Trojan.Heur.No1@rqjHbMmi".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "svchost.exe" as "Gen:Trojan.Heur.No1@r0BaWaji".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "svchost.exe" as "Gen:Variant.Uztub.23".
Malicious content was detected by heuristic scan
Execution
VTI rule match with VTI rule score 1/5
vmray_drop_pe_file
Drops file "C:\Windows\svchost.exe".
Drops PE file
Execution
VTI rule match with VTI rule score 1/5
vmray_drop_pe_file
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\libeay32.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 1/5
vmray_drop_pe_file
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ssleay32.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 1/5
vmray_execute_dropped_pe_file
Executes dropped file "C:\Windows\svchost.exe".
Executes dropped PE file
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_in_connection
Incoming TCP connection from host "128.127.106.29:443".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_in_connection
Incoming TCP connection from host "104.26.4.15:443".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_in_connection
Incoming TCP connection from host "184.73.185.65:443".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "128.127.106.29:443".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "104.26.4.15:443".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "184.73.185.65:443".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 2/5
vmray_install_tcp_server
TCP server listens on port "49158".
Sets up server that accepts incoming connections
Network Connection
VTI rule match with VTI rule score 2/5
vmray_install_tcp_server
TCP server listens on port "49166".
Sets up server that accepts incoming connections