VMRay Analyzer Report for Sample #179867
VMRay Analyzer
3.1.1
URI
dell1.ug
Resolved_To
Address
8.208.13.6
URI
api.2ip.ua
Resolved_To
Address
77.123.139.189
URI
dell2.ug
Resolved_To
Resolved_To
Resolved_To
Address
37.140.198.232
Address
176.113.82.144
Address
195.133.1.208
Process
1
2456
2b74.tmp.exe.exe
1116
2b74.tmp.exe.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2B74.TMP.EXE.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\2b74.tmp.exe.exe
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Created
Deleted
Opened
Opened
Process
3
2648
icacls.exe
2456
icacls.exe
icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\dfccf938-04f6-4f10-bbc6-7554a5d45465" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\icacls.exe
Process
4
1292
taskeng.exe
876
taskeng.exe
taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Process
5
2664
2b74.tmp.exe.exe
2456
2b74.tmp.exe.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2B74.TMP.EXE.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\2b74.tmp.exe.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Created
Created
Created
Opened
Opened
Opened
Process
6
2760
updatewin1.exe
2664
updatewin1.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin1.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin1.exe
Child_Of
Created
Opened
Opened
Opened
Process
7
2772
updatewin2.exe
2664
updatewin2.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin2.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin2.exe
Opened
Opened
Opened
Process
8
2780
updatewin.exe
2664
updatewin.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin.exe
Opened
Opened
Opened
Process
9
2792
4.exe
2664
4.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\4.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\4.exe
Opened
Opened
Opened
Created
Opened
Opened
Opened
Opened
Process
10
2800
5.exe
2664
5.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\5.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\5.exe
Opened
Opened
Opened
Created
Opened
Opened
Process
11
2824
updatewin1.exe
2760
updatewin1.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin1.exe" --Admin
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin1.exe
Child_Of
Created
Opened
Opened
Opened
Process
12
2832
powershell.exe
2824
powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Process
13
2968
taskeng.exe
876
taskeng.exe
taskeng.exe {30A33284-2FCE-4F58-AEDA-6805F44898A6} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Child_Of
Process
14
3000
2b74.tmp.exe.exe
2968
2b74.tmp.exe.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2B74.TMP.EXE.exe" --Task
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2b74.tmp.exe.exe
Process
18
1228
2b74.tmp.exe.exe
892
2b74.tmp.exe.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2B74.TMP.EXE.exe" --AutoStart
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2b74.tmp.exe.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465
users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465
File
users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2b74.tmp.exe.exe
users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2b74.tmp.exe.exe
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2b74.tmp.exe.exe
exe
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2B74.TMP.EXE.exe" --AutoStart
REG_EXPAND_SZ
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
5d2860c89d774.jpg
5d2860c89d774.jpg
i:\
i:\5d2860c89d774.jpg
jpg
File
users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d
users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d
File
systemid
systemid
c:\
c:\systemid
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
SysHelper
1
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
Mutex
A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
ProductName
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
systemid\personalid.txt
systemid\personalid.txt
c:\
c:\systemid\personalid.txt
txt
File
5d2860c89d774.jpg
5d2860c89d774.jpg
i:\
i:\5d2860c89d774.jpg
jpg
File
bootsect.bak
bootsect.bak
c:\
c:\bootsect.bak
bak
File
boot\bcd.log
boot\bcd.log
c:\
c:\boot\bcd.log
log
File
boot\bcd.log1
boot\bcd.log1
c:\
c:\boot\bcd.log1
log1
File
boot\bcd.log2
boot\bcd.log2
c:\
c:\boot\bcd.log2
log2
File
boot\bootstat.dat
boot\bootstat.dat
c:\
c:\boot\bootstat.dat
dat
File
boot\memtest.exe
boot\memtest.exe
c:\
c:\boot\memtest.exe
exe
File
boot\cs-cz\bootmgr.exe.mui
boot\cs-cz\bootmgr.exe.mui
c:\
c:\boot\cs-cz\bootmgr.exe.mui
mui
File
boot\da-dk\bootmgr.exe.mui
boot\da-dk\bootmgr.exe.mui
c:\
c:\boot\da-dk\bootmgr.exe.mui
mui
File
boot\de-de\bootmgr.exe.mui
boot\de-de\bootmgr.exe.mui
c:\
c:\boot\de-de\bootmgr.exe.mui
mui
File
boot\el-gr\bootmgr.exe.mui
boot\el-gr\bootmgr.exe.mui
c:\
c:\boot\el-gr\bootmgr.exe.mui
mui
File
boot\en-us\bootmgr.exe.mui
boot\en-us\bootmgr.exe.mui
c:\
c:\boot\en-us\bootmgr.exe.mui
mui
File
boot\en-us\memtest.exe.mui
boot\en-us\memtest.exe.mui
c:\
c:\boot\en-us\memtest.exe.mui
mui
File
boot\es-es\bootmgr.exe.mui
boot\es-es\bootmgr.exe.mui
c:\
c:\boot\es-es\bootmgr.exe.mui
mui
File
boot\fi-fi\bootmgr.exe.mui
boot\fi-fi\bootmgr.exe.mui
c:\
c:\boot\fi-fi\bootmgr.exe.mui
mui
File
boot\fonts\chs_boot.ttf
boot\fonts\chs_boot.ttf
c:\
c:\boot\fonts\chs_boot.ttf
ttf
File
boot\fonts\cht_boot.ttf
boot\fonts\cht_boot.ttf
c:\
c:\boot\fonts\cht_boot.ttf
ttf
File
boot\fonts\jpn_boot.ttf
boot\fonts\jpn_boot.ttf
c:\
c:\boot\fonts\jpn_boot.ttf
ttf
File
boot\fonts\kor_boot.ttf
boot\fonts\kor_boot.ttf
c:\
c:\boot\fonts\kor_boot.ttf
ttf
File
boot\fonts\wgl4_boot.ttf
boot\fonts\wgl4_boot.ttf
c:\
c:\boot\fonts\wgl4_boot.ttf
ttf
File
boot\fr-fr\bootmgr.exe.mui
boot\fr-fr\bootmgr.exe.mui
c:\
c:\boot\fr-fr\bootmgr.exe.mui
mui
File
boot\hu-hu\bootmgr.exe.mui
boot\hu-hu\bootmgr.exe.mui
c:\
c:\boot\hu-hu\bootmgr.exe.mui
mui
File
boot\it-it\bootmgr.exe.mui
boot\it-it\bootmgr.exe.mui
c:\
c:\boot\it-it\bootmgr.exe.mui
mui
File
boot\ja-jp\bootmgr.exe.mui
boot\ja-jp\bootmgr.exe.mui
c:\
c:\boot\ja-jp\bootmgr.exe.mui
mui
File
boot\ko-kr\bootmgr.exe.mui
boot\ko-kr\bootmgr.exe.mui
c:\
c:\boot\ko-kr\bootmgr.exe.mui
mui
File
boot\nb-no\bootmgr.exe.mui
boot\nb-no\bootmgr.exe.mui
c:\
c:\boot\nb-no\bootmgr.exe.mui
mui
File
boot\nl-nl\bootmgr.exe.mui
boot\nl-nl\bootmgr.exe.mui
c:\
c:\boot\nl-nl\bootmgr.exe.mui
mui
File
boot\pl-pl\bootmgr.exe.mui
boot\pl-pl\bootmgr.exe.mui
c:\
c:\boot\pl-pl\bootmgr.exe.mui
mui
File
boot\pt-br\bootmgr.exe.mui
boot\pt-br\bootmgr.exe.mui
c:\
c:\boot\pt-br\bootmgr.exe.mui
mui
File
boot\pt-pt\bootmgr.exe.mui
boot\pt-pt\bootmgr.exe.mui
c:\
c:\boot\pt-pt\bootmgr.exe.mui
mui
File
boot\ru-ru\bootmgr.exe.mui
boot\ru-ru\bootmgr.exe.mui
c:\
c:\boot\ru-ru\bootmgr.exe.mui
mui
File
boot\sv-se\bootmgr.exe.mui
boot\sv-se\bootmgr.exe.mui
c:\
c:\boot\sv-se\bootmgr.exe.mui
mui
File
boot\tr-tr\bootmgr.exe.mui
boot\tr-tr\bootmgr.exe.mui
c:\
c:\boot\tr-tr\bootmgr.exe.mui
mui
File
boot\zh-cn\bootmgr.exe.mui
boot\zh-cn\bootmgr.exe.mui
c:\
c:\boot\zh-cn\bootmgr.exe.mui
mui
File
boot\zh-hk\bootmgr.exe.mui
boot\zh-hk\bootmgr.exe.mui
c:\
c:\boot\zh-hk\bootmgr.exe.mui
mui
File
boot\zh-tw\bootmgr.exe.mui
boot\zh-tw\bootmgr.exe.mui
c:\
c:\boot\zh-tw\bootmgr.exe.mui
mui
File
users\5p5nrgjn0js halpmcxz\ntuser.dat
users\5p5nrgjn0js halpmcxz\ntuser.dat
c:\
c:\users\5p5nrgjn0js halpmcxz\ntuser.dat
dat
File
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
c:\
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
vss
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\au\au.cab
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\au\au.cab
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\au\au.cab
cab
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\au\au.msi
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\au\au.msi
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\au\au.msi
msi
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\deployment\deployment.properties
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\deployment\deployment.properties
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\deployment\deployment.properties
properties
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\jre1.7.0_45\data1.cab
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\jre1.7.0_45\data1.cab
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\jre1.7.0_45\data1.cab
cab
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\jre1.7.0_45\jre1.7.0_45.msi
users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\jre1.7.0_45\jre1.7.0_45.msi
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\sun\java\jre1.7.0_45\jre1.7.0_45.msi
msi
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\36usa68t\imagesrv.adition[1].xml
users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\36usa68t\imagesrv.adition[1].xml
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\36usa68t\imagesrv.adition[1].xml
xml
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\3o75jdme\www.google[1].xml
users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\3o75jdme\www.google[1].xml
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\3o75jdme\www.google[1].xml
xml
File
users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\vgmtoi09\www.msn[1].xml
users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\vgmtoi09\www.msn[1].xml
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\locallow\microsoft\internet explorer\domstore\vgmtoi09\www.msn[1].xml
xml
File
_readme.txt
_readme.txt
c:\
c:\_readme.txt
txt
File
boot\_readme.txt
boot\_readme.txt
c:\
c:\boot\_readme.txt
txt
File
config.msi\_readme.txt
config.msi\_readme.txt
c:\
c:\config.msi\_readme.txt
txt
File
boot\cs-cz\_readme.txt
boot\cs-cz\_readme.txt
c:\
c:\boot\cs-cz\_readme.txt
txt
File
boot\da-dk\_readme.txt
boot\da-dk\_readme.txt
c:\
c:\boot\da-dk\_readme.txt
txt
File
boot\de-de\_readme.txt
boot\de-de\_readme.txt
c:\
c:\boot\de-de\_readme.txt
txt
File
boot\el-gr\_readme.txt
boot\el-gr\_readme.txt
c:\
c:\boot\el-gr\_readme.txt
txt
File
boot\en-us\_readme.txt
boot\en-us\_readme.txt
c:\
c:\boot\en-us\_readme.txt
txt
File
boot\es-es\_readme.txt
boot\es-es\_readme.txt
c:\
c:\boot\es-es\_readme.txt
txt
File
boot\fi-fi\_readme.txt
boot\fi-fi\_readme.txt
c:\
c:\boot\fi-fi\_readme.txt
txt
File
boot\fonts\_readme.txt
boot\fonts\_readme.txt
c:\
c:\boot\fonts\_readme.txt
txt
File
boot\fr-fr\_readme.txt
boot\fr-fr\_readme.txt
c:\
c:\boot\fr-fr\_readme.txt
txt
File
boot\hu-hu\_readme.txt
boot\hu-hu\_readme.txt
c:\
c:\boot\hu-hu\_readme.txt
txt
File
boot\it-it\_readme.txt
boot\it-it\_readme.txt
c:\
c:\boot\it-it\_readme.txt
txt
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
Analyzed Sample #179867
Malware Artifacts
179867
Sample-ID: #179867
Job-ID: #441855
This sample was analyzed by VMRay Analyzer 3.1.1 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.4
Metadata of Sample File #179867
Submission-ID: #312803
5106d847e6fecd52295ab7e01ce2e7525e3107f6a2d4dd3fc2956a8db970e799exe
MD5
9fefc97d1a3bd960172df2a64e402684
SHA1
157ad8ea6d0a34210bc3cfd0dafa0ef8c7ceba54
SHA256
5106d847e6fecd52295ab7e01ce2e7525e3107f6a2d4dd3fc2956a8db970e799
Opened_By
Metadata of Analysis for Job-ID #441855
True
Timeout
True
240.013
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Process
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Hide Tracks
VTI rule match with VTI rule score 2/5
vmray_delete_executed_executable
Deletes executed executable "c:\users\5p5nrgjn0js halpmcxz\appdata\local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2b74.tmp.exe.exe".
Deletes file after execution
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_registry
Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2B74.TMP.EXE.exe" --AutoStart" to Windows startup via registry.
Installs system startup script or application
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "icacls" starts with hidden window.
Creates process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
Creates system object
Network
VTI rule match with VTI rule score 4/5
vmray_modify_network_configuration_by_file
Modifies the host.conf file, probably to redirect network traffic.
Modifies network configuration
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "powershell" starts with hidden window.
Creates process with hidden window
Information Stealing
VTI rule match with VTI rule score 1/5
vmray_read_machine_guid
Reads the cryptographic machine GUID from registry.
Reads system data
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69".
Creates system object
Network
VTI rule match with VTI rule score 1/5
vmray_get_network_stats_by_api
Gets network statistics by API.
Tries to get network statistics
File System
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
File System
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates an unusually large number of files.
Creates an unusually large number of files
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_delay_by_scheduled_task_delayed
Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\dfccf938-04f6-4f10-bbc6-7554a5d45465\2B74.TMP.EXE.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
Delays execution
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKD.32452318".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.AgentWDCR.SVC" in the response data of URL "http://dell1.ug/files/penelop/updatewin2.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.GenericKD.32145393" in the response data of URL "http://dell1.ug/files/penelop/5.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.GenericKD.31534187" in the response data of URL "http://dell1.ug/files/penelop/updatewin1.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.GenericKD.41651045" in the response data of URL "http://dell1.ug/files/penelop/4.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.AgentWDCR.SUF" in the response data of URL "http://dell1.ug/files/penelop/updatewin.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin1.exe" as "Trojan.GenericKD.31534187".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin.exe" as "Trojan.AgentWDCR.SUF".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\4.exe" as "Trojan.GenericKD.41651045".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\5.exe" as "Trojan.GenericKD.32145393".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the modified file "C:\Windows\System32\drivers\etc\hosts" as "Gen:Trojan.Qhost.1".
Malicious content was detected by heuristic scan
Network
VTI rule match with VTI rule score 1/5
vmray_download_file_by_http_full
Downloads file via http from "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F&first=true".
Downloads file
Network
VTI rule match with VTI rule score 1/5
vmray_download_file_by_http_full
Downloads file via http from "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F".
Downloads file
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/updatewin1.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/updatewin2.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/updatewin.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/4.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/5.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/updatewin1.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F&first=true".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/updatewin2.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/updatewin.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/3.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/4.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/5.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "dell2.ug/1/index.php".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_https_connection
URL "https://api.2ip.ua/geo.json".
Connects to HTTPS server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2B74.TMP.EXE.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin1.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin2.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\updatewin.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\4.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\16ec01a8-9cb0-4fd9-9d7a-ff79ab43a52d\5.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/updatewin1.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F&first=true" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/updatewin2.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/updatewin.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/3.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/4.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/5.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "dell2.ug/1/index.php" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/4.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/5.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/dhf58457ywuhifghpenelop3/Ai74ywouig/get.php?pid=9D21DEA2F9EA5AFC93634DAFF1A5107F&first=true" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/3.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Static
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static engine was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2B74.TMP.EXE.exe.
Unparsable sections in file
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TQA_umDM14EkRmKehkUw.pdf.kvag".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TQA_umDM14EkRmKehkUw.pdf.kvag".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TQA_umDM14EkRmKehkUw.pdf.kvag".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\applvCx 7 7q.pdf".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\applvCx 7 7q.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\applvCx 7 7q.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\cIMF3tKpAi.pdf".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\cIMF3tKpAi.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\cIMF3tKpAi.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\i8DRxWeUJn.pdf.kvag".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\i8DRxWeUJn.pdf.kvag".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\i8DRxWeUJn.pdf.kvag".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WzADlxLJE55HVxluBPw.pdf".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WzADlxLJE55HVxluBPw.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WzADlxLJE55HVxluBPw.pdf".
YARA match
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match
Rule "Gh0stMiancha_1_0_0" from ruleset "Malware" has matched on a memory dump for process "4.exe".
YARA match