1c2bdfa5...b0b4 | VTI
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Riskware, Trojan, Ransomware

1c2bdfa5e30cbf8eb92c3764de9b106aa722a81b50641698d2620a49b530b0b4 (SHA256)

1c2bdfa5e30cbf8eb92c3764de9b106aa722a81b50641698d2620a49b530b0b4.exe

Windows Exe (x86-32)

Created at 2018-08-28 15:01:00

Notifications (2/4)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The overall sleep time of all monitored processes was truncated from "10 minutes" to "10 seconds" to reveal dormant functionality.

The operating system was rebooted during the analysis.

Severity Category Operation Classification
5/5
File System Encrypts content of user files Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
5/5
YARA YARA match -
  • Rule "WiltedTulip_Tools_clrlg" from ruleset "APTs" has matched for "C:\windows\clerlog.bat"
  • Rule "Shellcode_GetPC_fstenv" from ruleset "Generic" has matched for "\\?\C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe ID NL5VaVIIqOZA.BadNews"
  • Rule "Shellcode_GetPC_fstenv" from ruleset "Generic" has matched for "\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe ID NL5VaVIIqOZA.BadNews"
4/5
File System Known malicious file Trojan
  • File "C:\Users\CIiHmnxMn6Ps\Desktop\1c2bdfa5e30cbf8eb92c3764de9b106aa722a81b50641698d2620a49b530b0b4.exe" is a known malicious file.
3/5
OS Modifies system security configuration -
2/5
Anti Analysis Delays execution -
1/5
Persistence Installs system startup script or application -
  • Adds ""c:\How To Decode Files.hta"" to Windows startup via registry.
1/5
File System Modifies operating system directory -
1/5
Hide Tracks Writes an unually large amount of data to the registry -
  • Hides 1280 byte in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\\rsa".
1/5
Process Creates process with hidden window -
  • The process "C:\Windows\system32\cmd.exe" starts with hidden window.
1/5
File System Modifies application directory -
  • Modifies "c:\program files (x86)\desktop.ini id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\lib-nice-selections.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\christopher_pro_recruiting.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\internet explorer\how to decode files.hta".
  • Modifies "c:\program files\internet explorer\highlight.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\java\nigeriareached.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\appxmanifest.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\filesystemmetadata.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office 15\how to decode files.hta".
  • Modifies "c:\program files\microsoft office 15\debate gs response.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office 15\italianbreakfastinstructors.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office 15\teach.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\uninstall information\how to decode files.hta".
  • Modifies "c:\program files\uninstall information\admit-marvel.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\uninstall information\broadwaychildrenvocational.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\uninstall information\product-fears-seafood.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windows journal\how to decode files.hta".
  • Modifies "c:\program files\windows journal\family-parliamentary.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windows mail\definitionselectionsea.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windows media player\how to decode files.hta".
  • Modifies "c:\program files\windows multimedia platform\how to decode files.hta".
  • Modifies "c:\program files\windows portable devices\how to decode files.hta".
  • Modifies "c:\program files (x86)\google\hydrocodone against.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\google\reprinttruepressing.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\microsoft.net\how to decode files.hta".
  • Modifies "c:\program files (x86)\microsoft.net\slovenia.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\microsoft.net\tactics.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla maintenance service\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows media player\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows multimedia platform\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows nt\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows nt\demand_sony.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windows photo viewer\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows photo viewer\biotechnology.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\designer\how to decode files.hta".
  • Modifies "c:\program files\common files\services\how to decode files.hta".
  • Modifies "c:\program files\common files\system\how to decode files.hta".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows mail\how to decode files.hta".
  • Modifies "c:\program files\msbuild\delivered-sapphire-divisions.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\internet explorer\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows portable devices\advantageknowledgestormdaddy.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\designer\msaddndr.olb id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\reference assemblies\how to decode files.hta".
  • Modifies "c:\program files\reference assemblies\rely.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\readme.htm id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\services\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\system\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\how to decode files.hta".
  • Modifies "c:\program files\windows journal\style_percent.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\accessible.tlb id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windows mail\en-us\how to decode files.hta".
  • Modifies "c:\program files\java\jre1.8.0_131\how to decode files.hta".
  • Modifies "c:\program files\windows nt\accessories\how to decode files.hta".
  • Modifies "c:\program files\windows media player\media renderer\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\accessiblemarshal.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office 15\clientx64\how to decode files.hta".
  • Modifies "c:\program files\windows nt\tabletextservice\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-console-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\java\jre1.8.0_131\copyright id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla maintenance service\updater.ini id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\java\jre1.8.0_131\license id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\msinfo\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\office16\how to decode files.hta".
  • Modifies "c:\program files\common files\system\ado\how to decode files.hta".
  • Modifies "c:\program files\common files\system\ole db\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\vgx\how to decode files.hta".
  • Modifies "c:\program files\common files\system\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\java\java update\how to decode files.hta".
  • Modifies "c:\program files (x86)\internet explorer\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-datetime-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office 15\clientx64\integratedoffice.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\system\ado\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows nt\tabletextservice\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows nt\accessories\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla maintenance service\logs\how to decode files.hta".
  • Modifies "c:\program files (x86)\microsoft.net\redistlist\how to decode files.hta".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\reader\how to decode files.hta".
  • Modifies "c:\program files\windows media player\skins\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\how to decode files.hta".
  • Modifies "c:\program files\internet explorer\signup\install.ins id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\.lnk id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windows defender\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\resource\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\source engine\ose.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\office15\how to decode files.hta".
  • Modifies "c:\program files (x86)\microsoft.net\primary interop assemblies\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\dao\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\stationery\how to decode files.hta".
  • Modifies "c:\program files (x86)\internet explorer\signup\how to decode files.hta".
  • Modifies "c:\program files\windows nt\tabletextservice\en-us\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\msinfo\en-us\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l2-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-localization-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\internet explorer\signup\install.ins id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windows media player\media renderer\how to decode files.hta".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\setup files\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-debug-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\msinfo\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\ink\how to decode files.hta".
  • Modifies "c:\program files\windowspowershell\modules\powershellget\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vgx\how to decode files.hta".
  • Modifies "c:\program files\common files\system\msadc\how to decode files.hta".
  • Modifies "c:\program files\windows media player\network sharing\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\vc\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\msenv\publicassemblies\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\adobe\helpcfg\en_us\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\how to decode files.hta".
  • Modifies "c:\program files (x86)\msbuild\microsoft\windows workflow foundation\v3.5\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vc\how to decode files.hta".
  • Modifies "c:\program files\java\jre1.8.0_131\lib\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-processthreads-l1-1-1.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\how to decode files.hta".
  • Modifies "c:\program files\windows nt\accessories\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\adobe\helpcfg\en_us\reader_dc.helpcfg id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\appinfodocument\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\msenv\publicassemblies\extensibility.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\licenses\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\adobe\arm\1.0\how to decode files.hta".
  • Modifies "c:\program files (x86)\msbuild\microsoft\windows workflow foundation\v3.0\how to decode files.hta".
  • Modifies "c:\program files\reference assemblies\microsoft\framework\v3.0\how to decode files.hta".
  • Modifies "c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.0\how to decode files.hta".
  • Modifies "c:\program files (x86)\windowspowershell\modules\pester\3.3.5\how to decode files.hta".
  • Modifies "c:\program files (x86)\reference assemblies\microsoft\framework\v3.5\how to decode files.hta".
  • Modifies "c:\program files\reference assemblies\microsoft\framework\v3.5\how to decode files.hta".
  • Modifies "c:\program files (x86)\google\chrome\application\58.0.3029.110\how to decode files.hta".
  • Modifies "c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.0\en\how to decode files.hta".
  • Modifies "c:\program files (x86)\google\chrome\application\58.0.3029.110\58.0.3029.110.manifest id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla maintenance service\logs\maintenanceservice-install.log id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windowspowershell\modules\powershellget\powershellget.psd1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\stationery\desktop.ini id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\powershellget\powershellget.psd1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\msbuild\microsoft\windows workflow foundation\v3.0\workflow.targets id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\resource\enutxt.pdf id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\reader\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windowspowershell\modules\powershellget\psget.format.ps1xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\powershellget\psget.format.ps1xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\msbuild\microsoft\windows workflow foundation\v3.0\workflow.visualbasic.targets id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-errorhandling-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\reference assemblies\microsoft\framework\v3.0\winfxlist.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windowspowershell\modules\powershellget\psget.psm1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\reader\a3dutils.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\powershellget\psget.psm1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\access.x-none.msi.16.x-none.boot.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\vsto\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vc\msdia100.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-file-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-file-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windowspowershell\modules\powershellget\psget.resource.psd1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-file-l2-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-handle-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\access.x-none.msi.16.x-none.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\accessmui.msi.16.en-us.boot.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\accessmui.msi.16.en-us.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\vsto\vstoee.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\accessmuiset.msi.16.en-us.boot.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-heap-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-interlocked-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\how to decode files.hta".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-libraryloader-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\accessmuiset.msi.16.en-us.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\vsto\vstoee100.tlb id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\ink\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\adobe\arm\1.0\adobearmhelper.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\vsto\vstoee90.tlb id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\reader\ace.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\rsod\dcfmui.msi.16.en-us.tree.dat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\ink\et-ee\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\fi-fi\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\el-gr\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\de-de\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\da-dk\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\bg-bg\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\ar-sa\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\es-es\how to decode files.hta".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\reader\acrobroker.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-memory-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\help\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\source engine\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\mcxml\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\vsto\10.0\vstoinstaller.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vc\amd64\msdia80.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\vstofiles.cat id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\reference assemblies\microsoft\framework\v3.0\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\vc\msdia100.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\msclientdatamgr\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\vfs\systemx86\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\office16\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\system\ole db\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\adobe\reader\dc\linguistics\languagenames2\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\grphflt\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\dw\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\updates\detection\version\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\fr-ca\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\smart tag\fbiblio.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\api-ms-win-core-file-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\euro\msoeuro.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\api-ms-win-core-file-l2-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\updates\detection\version\v64.hash id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\document themes 16\how to decode files.hta".
  • Modifies "c:\program files\windowspowershell\modules\powershellget\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\msinfo\en-us\how to decode files.hta".
  • Modifies "c:\program files (x86)\windows media player\en-us\how to decode files.hta".
  • Modifies "c:\program files\windows journal\templates\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\system\msadc\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\dw\dbghelp.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\smart tag\fdate.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\api-ms-win-core-localization-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office 15\clientx64\officeclicktorun.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\java\jre1.8.0_131\readme.txt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\how to decode files.hta".
  • Modifies "c:\program files\windowspowershell\modules\packagemanagement\1.0.0.0\how to decode files.hta".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\microsoft.powershell.psreadline.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\ink\he-il\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\ja-jp\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\it-it\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\flattener\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\office16\liclua.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\fonts\private\agencyb.ttf id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\psreadline.format.ps1xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_ca.txt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\pester\3.3.5\how to decode files.hta".
  • Modifies "c:\program files\msbuild\microsoft\windows workflow foundation\v3.0\workflow.targets id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\grphflt\epsimp32.flt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\proof\mslid.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\psreadline.psd1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_gb.txt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\psreadline.psm1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_gb_euro.txt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\source engine\ose.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\help\hx.hxc id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\templates\presentation designs\maple.gif id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\loc\appxmanifestloc.16.en-us.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\help\hx.hxt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\mcxml\appvisvsubsystems32.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\en\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\client\api-ms-win-core-file-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_us.txt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\proof\mswds_en.lex id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\msbuild\microsoft\windows workflow foundation\v3.0\workflow.visualbasic.targets id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\reference assemblies\microsoft\framework\v3.0\winfxlist.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\psreadline\1.1\en\microsoft.powershell.psreadline.resources.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_us_posix.txt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\acecore.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windowspowershell\modules\pester\3.3.5\snippets\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\addinsideadapters\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\office16\accicons.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-namedpipe-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\updates\detection\version\versiondescriptor.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\addinviews\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\hostsideadapters\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\licenses16\how to decode files.hta".
  • Modifies "c:\program files\java\jre1.8.0_131\lib\accessibility.properties id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\addinsideadapters\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\dw\dw20.exe id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\addinsideadapters\microsoft.visualstudio.tools.applications.addinadapter.v9.0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\client\api-ms-win-core-file-l2-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\ink\languagemodel\how to decode files.hta".
  • Modifies "c:\program files\common files\microsoft shared\ink\lt-lt\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\addinsideadapters\microsoft.visualstudio.tools.office.addinadapter.v9.0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\filters\msgfilt.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\fonts\private\agencyr.ttf id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\licenses\c2rpridslicensefiles_auto.xml id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\system\atl100.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\windowspowershell\modules\powershellget\en-us\psget.resource.psd1 id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\mozilla firefox\api-ms-win-core-processenvironment-l1-1-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\microsoft.net\primary interop assemblies\microsoft.stdformat.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\contracts\microsoft.visualstudio.tools.applications.contract.v10.0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\common programs\access.lnk id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\appinfodocument\addins.store id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-synch-l1-2-0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\windowspowershell\modules\pester\3.3.5\bin\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\packagemanifests\how to decode files.hta".
  • Modifies "c:\program files\microsoft office\root\integration\how to decode files.hta".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\hostsideadapters\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\grphflt\gifimp32.flt id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\adobe\acrobat reader dc\reader\acrofx32.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\templates\1033\adjacencyletter.dotx id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\addinviews\microsoft.office.tools.v9.0.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\pipelinesegments.store id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\vfs\systemx86\concrt140.dll id nl5vaviiqoza.badnews".
  • Modifies "c:\program files\microsoft office\root\mcxml\appvisvsubsystems64.dll id nl5vaviiqoza.badnews".
1/5
Masquerade Changes folder appearance Riskware
  • Folder "c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000" has a changed appearance.
  • Folder "c:\users\ciihmnxmn6ps\saved games" has a changed appearance.
  • Folder "c:\users\ciihmnxmn6ps\pictures\camera roll" has a changed appearance.
  • Folder "c:\program files (x86)\common files\microsoft shared\stationery" has a changed appearance.
  • Folder "c:\users\ciihmnxmn6ps\favorites\links" has a changed appearance.
  • Folder "c:\program files\common files\microsoft shared\stationery" has a changed appearance.
  • Folder "c:\users\ciihmnxmn6ps\pictures\saved pictures" has a changed appearance.
  • Folder "c:\users\public\desktop" has a changed appearance.
1/5
File System Creates an unusually large number of files -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image