VMRay Analyzer Report for Sample #625180 VMRay Analyzer 1.11.0 Process 2448 tax tool.exe 1996 tax tool.exe "C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Process 132 devices.exe 2448 devices.exe "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe" C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe Process 3244 cmd.exe 2448 cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\cmd.exe File users\wi2yhmti onvscy7pe\desktop\tax tool.exe users\wi2yhmti onvscy7pe\desktop\tax tool.exe c:\ c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe exe File vmgenerationcounter File hgfs File vmci File vboxguest File vboxmouse File vboxvideo File vboxminirddn File vboxtrayipc File virtualmachineservices File prl_pv File prl_tg File prl_time File popupkiller.exe popupkiller.exe c:\ c:\popupkiller.exe exe File stimulator.exe stimulator.exe c:\ c:\stimulator.exe exe File tools\execute.exe tools\execute.exe c:\ c:\tools\execute.exe exe File npf_ndiswanip File sice File siwvid File siwdebug File ntice File regvxg File filevxg File regsys File filem File trw File icext File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe hoe MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb igb MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezu users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezu c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezu ezu MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe exe MD5 212ba96c626898e00e140d5fb3230dd8 SHA1 204764a6e5f7b2426274da728ee07927b813f68d SHA256 ec2504089edf0330d58433079b2a5f72c102582c399ad73c59777ee03363929a File users\wi2yhmti onvscy7pe\appdata\roaming users\wi2yhmti onvscy7pe\appdata\roaming c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming File users\wi2yhmti onvscy7pe\appdata\roaming\sun\java users\wi2yhmti onvscy7pe\appdata\roaming\sun\java c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player File users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat c:\ c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat bat MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Mutex 8A000000B7496798F6145935AA3E2760 Mutex MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex Mutex Sandboxie_SingleInstanceMutex_Control Mutex Frz_State Mutex 4B000000D586D2D8AB6E07EC44CC9183 Mutex C0000000844EE6C40648470D345E7B65 WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate WinRegistryKey SOFTWARE\VMware, Inc.\VMware Tools HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Oracle\VirtualBox Guest Additions HKEY_LOCAL_MACHINE WinRegistryKey HARDWARE\ACPI\DSDT\VBOX__ HKEY_LOCAL_MACHINE WinRegistryKey HARDWARE\Description\System HKEY_LOCAL_MACHINE SystemBiosVersion SystemBiosVersion WinRegistryKey Software\WINE HKEY_CURRENT_USER WinRegistryKey Software\WINE HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId WinRegistryKey SOFTWARE\Microsoft HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Narrator HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\WAB HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Feeds HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\WcmSvc HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Speech HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Fax HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\GameBar HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Keyboard HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Wisp HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\FTP HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\OneDrive HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Unistore HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\UserData HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\PeerNet HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Pim HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Java VM HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Poom HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\MSF HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\SkyDrive HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\F12 HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Osk HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Cuxiy HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Hayfra HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Ygizgo HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Process 2448 tax tool.exe 1996 tax tool.exe "C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe File Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe C:\ C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe exe Process 132 devices.exe 2448 devices.exe "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe" C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Process 748 svchost.exe 132 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming c:\windows\syswow64\svchost.exe Process 3156 svchost.exe 132 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming c:\windows\syswow64\svchost.exe File users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe exe File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe hoe Mutex 8A000000B7496798F6145935AA3E2760 Mutex 9C0000002CCF1F00ECD770C403E9DE7B Mutex 54000000F61A7DE2C294AD9653CFD4FD Mutex AD0000002B4477546D3A308A977C30F1 Mutex D20000002A14C6E52964F51932B9F49F Mutex A1000000DA6AF38235D35BF570C2C4E9 WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId File Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe C:\ C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe exe Process 748 svchost.exe 132 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming c:\windows\syswow64\svchost.exe Opened Created Created Created Moved Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Opened Opened File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe hoe Moved_From File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb igb File users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe exe File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp tmp MD5 7a245ac97a224505665b541cbaeebee3 SHA1 fb77de1a8006c5cc48493e21778c03e9b7e190d0 SHA256 62cd74f35b09b3aeba6cecef7202838b2f064346ae2497e7726c3f419acb2495 Moved_To Mutex D20000002A14C6E52964F51932B9F49F Mutex 8A000000B7496798F6145935AA3E2760 Mutex D9000000F219E1C779E2E7AC08DFD815 Mutex 7D0000008AA73D983C6DEAFF4C3848A7 Mutex 3B000000F5DFE9C2D11C32931F7D5BB4 Mutex C0000000844EE6C40648470D345E7B65 Mutex 4A000000AF17366BF4960AE62A76878C Mutex D5000000C70E48D5408251026F4BDA97 Mutex 4B000000D586D2D8AB6E07EC44CC9183 WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Onpiwaad WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Vipoug WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Vipoug WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER Devices.exe "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe" REG_SZ WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Vipoug File Windows\SysWOW64\svchost.exe Windows\SysWOW64\svchost.exe C:\ C:\Windows\SysWOW64\svchost.exe exe Process 3156 svchost.exe 132 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming c:\windows\syswow64\svchost.exe Created Created Created Created Created Created Created Opened Opened Opened Created Opened Opened File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe hoe File users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb igb Mutex A1000000DA6AF38235D35BF570C2C4E9 Mutex 8A000000B7496798F6145935AA3E2760 Mutex D5000000C70E48D5408251026F4BDA97 Mutex C0000000844EE6C40648470D345E7B65 Mutex 4A000000AF17366BF4960AE62A76878C Mutex 4B000000D586D2D8AB6E07EC44CC9183 WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Onpiwaad WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Vipoug WinRegistryKey SOFTWARE\Microsoft\Fabo HKEY_CURRENT_USER Vipoug Process 3244 cmd.exe 2448 cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\cmd.exe Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat c:\ c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat bat File users\wi2yhmti onvscy7pe\desktop\tax tool.exe users\wi2yhmti onvscy7pe\desktop\tax tool.exe c:\ c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe exe File STD_ERROR_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File Windows\SysWOW64\cmd.exe Windows\SysWOW64\cmd.exe C:\ C:\Windows\SysWOW64\cmd.exe exe Analyzed Sample #625180 Malware Artifacts 625180 Sample-ID: #625180 Job-ID: #676476 Detect Artificial Environment This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 10 system 75 VTI Score based on VTI Database Version 2.2 Metadata of Sample File #625180 Submission-ID: #625180 C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe exe MD5 212ba96c626898e00e140d5fb3230dd8 SHA1 204764a6e5f7b2426274da728ee07927b813f68d SHA256 ec2504089edf0330d58433079b2a5f72c102582c399ad73c59777ee03363929a Opened_By VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "8A000000B7496798F6145935AA3E2760". Create system object OS VTI rule match with VTI rule score 1/5 vmray_enable_process_privileges Enable privilege "SeSecurityPrivilege". Enable process privileges Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_vmware_by_registry Possibly trying to detect VMware via registry "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools". Try to detect virtual machine Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_virtualbox_by_registry Possibly trying to detect VirtualBox via registry "HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions". Try to detect virtual machine Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_virtualbox_by_registry Possibly trying to detect VirtualBox via registry "HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__". Try to detect virtual machine Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex". Create system object Anti Analysis VTI rule match with VTI rule score 2/5 vmray_detect_generic_vm_by_registry Readout system information, commonly used to detect VMs via registry. (Value "SystemBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\Description\System"). Try to detect virtual machine Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Sandboxie_SingleInstanceMutex_Control". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Frz_State". Create system object Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_application_sandbox_by_getprocaddr Possibly trying to detect "wine" by GetProcAddress(). Try to detect application sandbox Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "4B000000D586D2D8AB6E07EC44CC9183". Create system object Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process ""C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "9C0000002CCF1F00ECD770C403E9DE7B". Create system object Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\svchost.exe -k netsvcs" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "54000000F61A7DE2C294AD9653CFD4FD". Create system object Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "D20000002A14C6E52964F51932B9F49F". Create system object Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "AD0000002B4477546D3A308A977C30F1". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "A1000000DA6AF38235D35BF570C2C4E9". Create system object Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process ""C:\Windows\system32\cmd.exe" \c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat"" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "D9000000F219E1C779E2E7AC08DFD815". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "7D0000008AA73D983C6DEAFF4C3848A7". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "3B000000F5DFE9C2D11C32931F7D5BB4". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "C0000000844EE6C40648470D345E7B65". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "4A000000AF17366BF4960AE62A76878C". Create system object Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add ""C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"" to windows startup via registry. Install system startup script or application Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "D5000000C70E48D5408251026F4BDA97". Create system object Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe" modifies memory of "c:\windows\syswow64\svchost.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 3/5 vmray_create_remote_thread "c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe" creates thread in "c:\windows\syswow64\svchost.exe" Modify control flow of an other process