VMRay Analyzer Report for Sample #810856
VMRay Analyzer
3.2.2
Process
1
1504
main.exe
1108
main.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\main.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\main.exe
Child_Of
Created
Process
2
348
powershell.exe
1504
powershell.exe
powershell [Environment]::GetLogicalDrives()
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
Analyzed Sample #810856
Malware Artifacts
810856
Sample-ID: #810856
Job-ID: #2122301
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #810856
Submission-ID: #4243341
528417986548a34850cc83042c6963fd6a19adcdb00158579e6f32c9fce7cadeexe
MD5
b22a50ab027d620c4db5fae365758edc
SHA1
95bd1d0c6470ee66ae5cde36863001b98560d15f
SHA256
528417986548a34850cc83042c6963fd6a19adcdb00158579e6f32c9fce7cade
Opened_By
Metadata of Analysis for Job-ID #2122301
True
All processes terminated
True
126.245
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_wine_by_getprocaddress
Tries to detect "wine" by calling GetProcAddress() on "wine_get_version".
Tries to detect application sandbox
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" starts with hidden window.
Creates process with hidden window
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_delay_execution_by_sleep
One thread sleeps more than 5 minutes.
Delays execution
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Google Chrome" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
Reads sensitive browser data
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\6asvn7j7" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\1nbur4hr" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\d68g7bij" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache\kqmhsvkd" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\feeds cache" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\burn\burn1" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\burn\burn" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\low\history.ie5" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\burn\burn2" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\low" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\mm5o9xqs" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\pmmr5k9k" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\9qh4s0gz" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\abv8l7my" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\ikqeepzr" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\yg1r61z8" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\low\content.ie5" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\low" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files" has a changed appearance.
Changes folder appearance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_file
Trying to read sensitive data of mail application "Windows Mail" by file.
Reads sensitive mail data
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows mail\stationery" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\vb18b0kb" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\xt1rpyg9" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\ketajp6d" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\history\history.ie5" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\temporary internet files\content.ie5\03j4uqw0" has a changed appearance.
Changes folder appearance
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_rename_user_files
Renames multiple user files. This is an indicator for an encryption attempt.
Renames user files
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\internet explorer\quick launch" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\libraries" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\recent" has a changed appearance.
Changes folder appearance
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_file
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder.
Installs system startup script or application
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_file
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini" to Windows startup folder.
Installs system startup script or application
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\sendto" has a changed appearance.
Changes folder appearance
Discovery
VTI rule match with VTI rule score 1/5
vmray_recon_app_data_by_file
Tries to gather information about application "Mozilla Firefox" by file.
Possibly does reconnaissance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\maintenance" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\accessories" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools" has a changed appearance.
Changes folder appearance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Mozilla Firefox" by file.
Reads sensitive browser data
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility" has a changed appearance.
Changes folder appearance
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_file
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\encry-desktop.ini" to Windows startup folder.
Installs system startup script or application
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\contacts" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\favorites\links" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\downloads" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\documents\my shapes" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\documents" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\desktop" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\favorites" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\saved games" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\searches" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\links" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\pictures" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\videos" has a changed appearance.
Changes folder appearance
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\users\5p5nrgjn0js halpmcxz\music" has a changed appearance.
Changes folder appearance
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
Reputation data labels the sample itself as "Mal/Generic-S".
Known malicious file
Data Collection
VTI rule match with VTI rule score 4/5
vmray_meta_classify_spyware_for_excessive_infosteal
Tries to read sensitive data of: Mozilla Firefox, Windows Mail, Internet Explorer / Edge, Google Chrome.
Exhibits Spyware behavior