VMRay Analyzer Report for Sample #155102
VMRay Analyzer
3.1.1
URI
api.2ip.ua
Resolved_To
Address
77.123.139.189
URI
dell1.ug
Resolved_To
Address
161.117.195.207
Process
1
1852
9dc6.tmp.exe
1116
9dc6.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9DC6.tmp.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\9dc6.tmp.exe
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Created
Deleted
Opened
Opened
Process
3
176
icacls.exe
1852
icacls.exe
icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\df0a63e6-8bd0-426e-adf4-794844f579bd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\syswow64\icacls.exe
Process
4
1292
taskeng.exe
876
taskeng.exe
taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Process
5
2060
9dc6.tmp.exe
1852
9dc6.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9DC6.tmp.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\9dc6.tmp.exe
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Opened
Created
Created
Created
Opened
Opened
Opened
Process
6
2156
updatewin1.exe
2060
updatewin1.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin1.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin1.exe
Child_Of
Created
Opened
Opened
Opened
Process
7
2184
updatewin1.exe
2156
updatewin1.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin1.exe" --Admin
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin1.exe
Child_Of
Created
Opened
Opened
Opened
Process
8
2192
powershell.exe
2184
powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
9
2236
updatewin2.exe
2060
updatewin2.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin2.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin2.exe
Opened
Opened
Opened
Process
10
2296
taskeng.exe
876
taskeng.exe
taskeng.exe {4AA344D6-BF85-44B2-8540-3850C522B854} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
C:\Windows\system32\
c:\windows\system32\taskeng.exe
Child_Of
Process
11
2304
updatewin.exe
2060
updatewin.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin.exe
Opened
Opened
Opened
Process
12
2336
9dc6.tmp.exe
2296
9dc6.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\df0a63e6-8bd0-426e-adf4-794844f579bd\9DC6.tmp.exe" --Task
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd\9dc6.tmp.exe
Process
16
1348
9dc6.tmp.exe
1116
9dc6.tmp.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\df0a63e6-8bd0-426e-adf4-794844f579bd\9DC6.tmp.exe" --AutoStart
C:\Windows\system32\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd\9dc6.tmp.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd
users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd
File
users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd\9dc6.tmp.exe
users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd\9dc6.tmp.exe
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd\9dc6.tmp.exe
exe
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\df0a63e6-8bd0-426e-adf4-794844f579bd\9DC6.tmp.exe" --AutoStart
REG_EXPAND_SZ
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd
users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd
File
systemid
systemid
c:\
c:\systemid
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
SysHelper
1
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
conout$
File
windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\types.ps1xml
windows\syswow64\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml
windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml
windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml
windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
systemid\personalid.txt
systemid\personalid.txt
c:\
c:\systemid\personalid.txt
txt
File
bootsect.bak
bootsect.bak
c:\
c:\bootsect.bak
bak
File
boot\bcd.log
boot\bcd.log
c:\
c:\boot\bcd.log
log
File
boot\bcd.log1
boot\bcd.log1
c:\
c:\boot\bcd.log1
log1
File
boot\bcd.log2
boot\bcd.log2
c:\
c:\boot\bcd.log2
log2
File
boot\bootstat.dat
boot\bootstat.dat
c:\
c:\boot\bootstat.dat
dat
File
boot\memtest.exe
boot\memtest.exe
c:\
c:\boot\memtest.exe
exe
File
boot\cs-cz\bootmgr.exe.mui
boot\cs-cz\bootmgr.exe.mui
c:\
c:\boot\cs-cz\bootmgr.exe.mui
mui
File
boot\da-dk\bootmgr.exe.mui
boot\da-dk\bootmgr.exe.mui
c:\
c:\boot\da-dk\bootmgr.exe.mui
mui
File
boot\de-de\bootmgr.exe.mui
boot\de-de\bootmgr.exe.mui
c:\
c:\boot\de-de\bootmgr.exe.mui
mui
File
boot\el-gr\bootmgr.exe.mui
boot\el-gr\bootmgr.exe.mui
c:\
c:\boot\el-gr\bootmgr.exe.mui
mui
File
boot\en-us\bootmgr.exe.mui
boot\en-us\bootmgr.exe.mui
c:\
c:\boot\en-us\bootmgr.exe.mui
mui
File
boot\en-us\memtest.exe.mui
boot\en-us\memtest.exe.mui
c:\
c:\boot\en-us\memtest.exe.mui
mui
File
boot\es-es\bootmgr.exe.mui
boot\es-es\bootmgr.exe.mui
c:\
c:\boot\es-es\bootmgr.exe.mui
mui
File
boot\fi-fi\bootmgr.exe.mui
boot\fi-fi\bootmgr.exe.mui
c:\
c:\boot\fi-fi\bootmgr.exe.mui
mui
File
boot\fonts\chs_boot.ttf
boot\fonts\chs_boot.ttf
c:\
c:\boot\fonts\chs_boot.ttf
ttf
File
boot\fonts\cht_boot.ttf
boot\fonts\cht_boot.ttf
c:\
c:\boot\fonts\cht_boot.ttf
ttf
File
boot\fonts\jpn_boot.ttf
boot\fonts\jpn_boot.ttf
c:\
c:\boot\fonts\jpn_boot.ttf
ttf
File
boot\fonts\kor_boot.ttf
boot\fonts\kor_boot.ttf
c:\
c:\boot\fonts\kor_boot.ttf
ttf
File
boot\fonts\wgl4_boot.ttf
boot\fonts\wgl4_boot.ttf
c:\
c:\boot\fonts\wgl4_boot.ttf
ttf
File
boot\fr-fr\bootmgr.exe.mui
boot\fr-fr\bootmgr.exe.mui
c:\
c:\boot\fr-fr\bootmgr.exe.mui
mui
File
boot\hu-hu\bootmgr.exe.mui
boot\hu-hu\bootmgr.exe.mui
c:\
c:\boot\hu-hu\bootmgr.exe.mui
mui
File
boot\it-it\bootmgr.exe.mui
boot\it-it\bootmgr.exe.mui
c:\
c:\boot\it-it\bootmgr.exe.mui
mui
File
boot\ja-jp\bootmgr.exe.mui
boot\ja-jp\bootmgr.exe.mui
c:\
c:\boot\ja-jp\bootmgr.exe.mui
mui
File
boot\ko-kr\bootmgr.exe.mui
boot\ko-kr\bootmgr.exe.mui
c:\
c:\boot\ko-kr\bootmgr.exe.mui
mui
File
boot\nb-no\bootmgr.exe.mui
boot\nb-no\bootmgr.exe.mui
c:\
c:\boot\nb-no\bootmgr.exe.mui
mui
File
boot\nl-nl\bootmgr.exe.mui
boot\nl-nl\bootmgr.exe.mui
c:\
c:\boot\nl-nl\bootmgr.exe.mui
mui
File
boot\pl-pl\bootmgr.exe.mui
boot\pl-pl\bootmgr.exe.mui
c:\
c:\boot\pl-pl\bootmgr.exe.mui
mui
File
boot\pt-br\bootmgr.exe.mui
boot\pt-br\bootmgr.exe.mui
c:\
c:\boot\pt-br\bootmgr.exe.mui
mui
File
boot\pt-pt\bootmgr.exe.mui
boot\pt-pt\bootmgr.exe.mui
c:\
c:\boot\pt-pt\bootmgr.exe.mui
mui
File
boot\ru-ru\bootmgr.exe.mui
boot\ru-ru\bootmgr.exe.mui
c:\
c:\boot\ru-ru\bootmgr.exe.mui
mui
File
boot\sv-se\bootmgr.exe.mui
boot\sv-se\bootmgr.exe.mui
c:\
c:\boot\sv-se\bootmgr.exe.mui
mui
File
boot\tr-tr\bootmgr.exe.mui
boot\tr-tr\bootmgr.exe.mui
c:\
c:\boot\tr-tr\bootmgr.exe.mui
mui
File
boot\zh-cn\bootmgr.exe.mui
boot\zh-cn\bootmgr.exe.mui
c:\
c:\boot\zh-cn\bootmgr.exe.mui
mui
File
boot\zh-hk\bootmgr.exe.mui
boot\zh-hk\bootmgr.exe.mui
c:\
c:\boot\zh-hk\bootmgr.exe.mui
mui
File
boot\zh-tw\bootmgr.exe.mui
boot\zh-tw\bootmgr.exe.mui
c:\
c:\boot\zh-tw\bootmgr.exe.mui
mui
File
users\5p5nrgjn0js halpmcxz\ntuser.dat
users\5p5nrgjn0js halpmcxz\ntuser.dat
c:\
c:\users\5p5nrgjn0js halpmcxz\ntuser.dat
dat
File
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\everywhere.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
c:\
c:\users\5p5nrgjn0js halpmcxz\searches\indexed locations.search-ms
search-ms
File
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
c:\
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\favorites.vss
vss
File
_readme.txt
_readme.txt
c:\
c:\_readme.txt
txt
File
boot\_readme.txt
boot\_readme.txt
c:\
c:\boot\_readme.txt
txt
File
config.msi\_readme.txt
config.msi\_readme.txt
c:\
c:\config.msi\_readme.txt
txt
File
boot\cs-cz\_readme.txt
boot\cs-cz\_readme.txt
c:\
c:\boot\cs-cz\_readme.txt
txt
File
boot\da-dk\_readme.txt
boot\da-dk\_readme.txt
c:\
c:\boot\da-dk\_readme.txt
txt
File
boot\de-de\_readme.txt
boot\de-de\_readme.txt
c:\
c:\boot\de-de\_readme.txt
txt
File
boot\el-gr\_readme.txt
boot\el-gr\_readme.txt
c:\
c:\boot\el-gr\_readme.txt
txt
File
boot\en-us\_readme.txt
boot\en-us\_readme.txt
c:\
c:\boot\en-us\_readme.txt
txt
File
boot\es-es\_readme.txt
boot\es-es\_readme.txt
c:\
c:\boot\es-es\_readme.txt
txt
File
boot\fi-fi\_readme.txt
boot\fi-fi\_readme.txt
c:\
c:\boot\fi-fi\_readme.txt
txt
File
boot\fonts\_readme.txt
boot\fonts\_readme.txt
c:\
c:\boot\fonts\_readme.txt
txt
File
boot\fr-fr\_readme.txt
boot\fr-fr\_readme.txt
c:\
c:\boot\fr-fr\_readme.txt
txt
File
boot\hu-hu\_readme.txt
boot\hu-hu\_readme.txt
c:\
c:\boot\hu-hu\_readme.txt
txt
File
boot\it-it\_readme.txt
boot\it-it\_readme.txt
c:\
c:\boot\it-it\_readme.txt
txt
File
boot\ja-jp\_readme.txt
boot\ja-jp\_readme.txt
c:\
c:\boot\ja-jp\_readme.txt
txt
File
boot\ko-kr\_readme.txt
boot\ko-kr\_readme.txt
c:\
c:\boot\ko-kr\_readme.txt
txt
File
boot\nb-no\_readme.txt
boot\nb-no\_readme.txt
c:\
c:\boot\nb-no\_readme.txt
txt
File
boot\nl-nl\_readme.txt
boot\nl-nl\_readme.txt
c:\
c:\boot\nl-nl\_readme.txt
txt
File
boot\pl-pl\_readme.txt
boot\pl-pl\_readme.txt
c:\
c:\boot\pl-pl\_readme.txt
txt
File
boot\pt-br\_readme.txt
boot\pt-br\_readme.txt
c:\
c:\boot\pt-br\_readme.txt
txt
File
boot\pt-pt\_readme.txt
boot\pt-pt\_readme.txt
c:\
c:\boot\pt-pt\_readme.txt
txt
File
boot\ru-ru\_readme.txt
boot\ru-ru\_readme.txt
c:\
c:\boot\ru-ru\_readme.txt
txt
File
boot\sv-se\_readme.txt
boot\sv-se\_readme.txt
c:\
c:\boot\sv-se\_readme.txt
txt
File
boot\tr-tr\_readme.txt
boot\tr-tr\_readme.txt
c:\
c:\boot\tr-tr\_readme.txt
txt
File
boot\zh-cn\_readme.txt
boot\zh-cn\_readme.txt
c:\
c:\boot\zh-cn\_readme.txt
txt
File
boot\zh-hk\_readme.txt
boot\zh-hk\_readme.txt
c:\
c:\boot\zh-hk\_readme.txt
txt
File
boot\zh-tw\_readme.txt
boot\zh-tw\_readme.txt
c:\
c:\boot\zh-tw\_readme.txt
txt
Mutex
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
SysHelper
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER
SysHelper
Analyzed Sample #155102
Malware Artifacts
155102
Sample-ID: #155102
Job-ID: #376923
This sample was analyzed by VMRay Analyzer 3.1.1 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.4
Metadata of Sample File #155102
Submission-ID: #280547
6baf355bde73ed5a1d8a05d87f6cada55751402ea1dba9d07c8fd868f5b0ecd5exe
MD5
f755c18c81226e0301517563d238ae6c
SHA1
60689252404f0d7bdb41836233ae3795fe21addc
SHA256
6baf355bde73ed5a1d8a05d87f6cada55751402ea1dba9d07c8fd868f5b0ecd5
Opened_By
Metadata of Analysis for Job-ID #376923
True
Timeout
True
240.028
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Process
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Hide Tracks
VTI rule match with VTI rule score 2/5
vmray_delete_executed_executable
Deletes executed executable "c:\users\5p5nrgjn0js halpmcxz\appdata\local\df0a63e6-8bd0-426e-adf4-794844f579bd\9dc6.tmp.exe".
Deletes file after execution
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_registry
Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\df0a63e6-8bd0-426e-adf4-794844f579bd\9DC6.tmp.exe" --AutoStart" to Windows startup via registry.
Installs system startup script or application
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "icacls" starts with hidden window.
Creates process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "powershell" starts with hidden window.
Creates process with hidden window
Network
VTI rule match with VTI rule score 4/5
vmray_modify_network_configuration_by_file
Modifies the host.conf file, probably to redirect network traffic.
Modifies network configuration
File System
VTI rule match with VTI rule score 4/5
vmray_modify_user_files
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
Modifies content of user files
File System
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates an unusually large number of files.
Creates an unusually large number of files
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_delay_by_scheduled_task_delayed
Schedules task for command "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\df0a63e6-8bd0-426e-adf4-794844f579bd\9DC6.tmp.exe", to be triggered by Time. Task has been rescheduled by the analyzer.
Delays execution
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKD.41625647".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.GenericKD.31534187" in the response data of URL "http://dell1.ug/files/penelop/updatewin1.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.AgentWDCR.SVC" in the response data of URL "http://dell1.ug/files/penelop/updatewin2.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.AgentWDCR.SUF" in the response data of URL "http://dell1.ug/files/penelop/updatewin.exe".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin1.exe" as "Trojan.GenericKD.31534187".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin2.exe" as "Trojan.AgentWDCR.SVC".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the modified file "C:\Windows\System32\drivers\etc\hosts" as "Gen:Trojan.Qhost.1".
Malicious content was detected by heuristic scan
Local AV
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin.exe" as "Trojan.AgentWDCR.SUF".
Malicious content was detected by heuristic scan
Network
VTI rule match with VTI rule score 1/5
vmray_download_file_by_http_full
Downloads file via http from "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277&first=true".
Downloads file
Network
VTI rule match with VTI rule score 1/5
vmray_download_file_by_http_full
Downloads file via http from "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277".
Downloads file
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/updatewin1.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/updatewin2.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_download_exe_by_http_full
Downloads executable via http from "http://dell1.ug/files/penelop/updatewin.exe".
Downloads executable
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277&first=true".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/updatewin1.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/updatewin2.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/updatewin.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/3.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/files/penelop/4.exe".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_http_connection
URL "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277".
Connects to HTTP server
Network
VTI rule match with VTI rule score 1/5
vmray_establish_https_connection
URL "https://api.2ip.ua/geo.json".
Connects to HTTPS server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9DC6.tmp.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin1.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin2.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\2d5ee28a-f782-4cc1-aa85-b49f8f019ddd\updatewin.exe" is a known malicious file.
Known malicious file
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277&first=true" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/updatewin1.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/updatewin2.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/updatewin.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/3.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/files/penelop/4.exe" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_traffic
Contacted URL "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277" is a known malicious URL.
Contacts known malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/4.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/updatewin1.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277&first=true" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/updatewin.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/3.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/Asdh34y5iusdf91/345678yjdfgdfg/get.php?pid=DD27E7F2A8F3C6E76FED65713A3B1277" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Reputation
VTI rule match with VTI rule score 4/5
vmray_known_malicious_url_embedded
URL "http://dell1.ug/files/penelop/updatewin2.exe" embedded in file "analysis.pcap" is a known malicious URL.
File has embedded malicious URL
Static
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static engine was unable to completely parse the analyzed file: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9DC6.tmp.exe.
Unparsable sections in file
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0NTmu.pdf".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0NTmu.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0NTmu.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_0VDVX.pdf".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_0VDVX.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the modified file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_0VDVX.pdf".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\m8Ml-6lNM1 wULCS0yD\-88UgF-e_va- z.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\m8Ml-6lNM1 wULCS0yD\-88UgF-e_va- z.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\m8Ml-6lNM1 wULCS0yD\-88UgF-e_va- z.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\f_-8oBARRP9-U\bFT9ci 8fZ3bljOH\AL1uDyzyXe3_.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\f_-8oBARRP9-U\bFT9ci 8fZ3bljOH\AL1uDyzyXe3_.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\f_-8oBARRP9-U\bFT9ci 8fZ3bljOH\AL1uDyzyXe3_.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Missing_startxref" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\SmG7\LFwoVJrFDf\Zvgl_GVfIYN2KR.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match
Rule "PDF_Missing_EOF" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\SmG7\LFwoVJrFDf\Zvgl_GVfIYN2KR.pdf.carote".
YARA match
YARA
VTI rule match with VTI rule score 4/5
vmray_yara_match
Rule "PDF_Invalid_version" from ruleset "Malicious-Documents" has matched on the dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\Documents\SmG7\LFwoVJrFDf\Zvgl_GVfIYN2KR.pdf.carote".
YARA match