6bf0c2bf...68bb

VMRay Threat Indicators (16 rules, 135 matches)

Severity	Category	Operation	Count	Classification
5/5	File System	Encrypts content of user files	1	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Behavior
5/5	Local AV	Malicious content was detected by heuristic scan	1	-
Local AV detected the sample itself as "Gen:Variant.Ransom.1687". ... VTI Actions Go to AV match Go to file details
4/5	Injection	Writes into the memory of another running process	21	-
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\windows\system32\dwm.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\windows\system32\taskhost.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\windows\system32\taskeng.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\microsoft office\weekends.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\common files\divisions-threshold-gibraltar.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\windows defender\cingular.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\msbuild\expires bahamas juice.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\mozilla maintenance service\violations_accompanying_show.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\common files\immigration.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\windows portable devices\dumb_si.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\windows media player\mentioned-de-fc.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\windows portable devices\portsmouth.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\windows media player\guy coffee glenn.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\windows photo viewer\argued.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\common files\neil_cheese_modern.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\internet explorer\tribal_dutch.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\windows journal\centres_guys_ja.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\reference assemblies\mayor.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\java\budget nelson pantyhose.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files\reference assemblies\fence.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" modifies memory of "c:\program files (x86)\mozilla firefox\forest.exe". ... VTI Actions Go to Behavior
4/5	Injection	Modifies control flow of another process	19	-
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\microsoft office\weekends.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\common files\divisions-threshold-gibraltar.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\windows defender\cingular.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\msbuild\expires bahamas juice.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\windows defender\fpresellerfunction.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\mozilla maintenance service\violations_accompanying_show.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\common files\immigration.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\windows portable devices\dumb_si.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\windows media player\mentioned-de-fc.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\windows portable devices\portsmouth.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\windows media player\guy coffee glenn.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\windows photo viewer\argued.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\common files\neil_cheese_modern.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\internet explorer\tribal_dutch.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\windows journal\centres_guys_ja.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\reference assemblies\mayor.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\java\budget nelson pantyhose.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files\reference assemblies\fence.exe". ... VTI Actions Go to Behavior
"c:\users\5p5nrgjn0js halpmcxz\desktop\_00270000.mem.exe" creates thread in "c:\program files (x86)\mozilla firefox\forest.exe". ... VTI Actions Go to Behavior
4/5	YARA	YARA match	7	-
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\IKQEEPZR\ga[1].js.RYK". ... VTI Actions Go to YARA match Go to file details
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\9QH4S0GZ\528d82a2[1].js.RYK". ... VTI Actions Go to YARA match Go to file details
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\IKQEEPZR\player[2].jspg.RYK.RYK". ... VTI Actions Go to YARA match Go to file details
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\IKQEEPZR\player[1].jspg.RYK.RYK". ... VTI Actions Go to YARA match Go to file details
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\IKQEEPZR\ast[2].js].jpg.RYK.RYK". ... VTI Actions Go to YARA match Go to file details
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\YG1R61Z8\ast[1].jsni.RYK.RYK". ... VTI Actions Go to YARA match Go to file details
Rule "JS_High_Entropy" from ruleset "Generic" has matched on the modified file "C:\Documents and Settings\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Low\Content.IE5\YG1R61Z8\adex[1].js.jpg.RYK.RYK". ... VTI Actions Go to YARA match Go to file details
3/5	File System	Possibly drops ransom note files	1	Ransomware
Possibly drops ransom note files (creates 148 instances of the file "RyukReadMe.html" in different locations). ... VTI Actions Go to file details
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	1	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive browser data	1	-
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Delays execution	1	-
One thread sleeps more than 5 minutes. ... VTI Actions Go to Behavior
2/5	Reputation	Known suspicious file	1	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_00270000.mem.exe" is a known suspicious file. ... VTI Actions Go to file details
1/5	Process	Creates process with hidden window	2	-
The process "taskkill" starts with hidden window. ... VTI Actions Go to Behavior
The process "net" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Process	Creates a page with write and execute permissions	1	-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. ... VTI Actions Go to Behavior
1/5	Masquerade	Changes folder appearance	70	-
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\history" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\history\low" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\history" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\history\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\history\low" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\history\low\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\1nbur4hr" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\6asvn7j7" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\d68g7bij" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\kqmhsvkd" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows mail\stationery" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\temp\history\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\history" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\history\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\history\low" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\history\low\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\1nbur4hr" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\6asvn7j7" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\d68g7bij" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\kqmhsvkd" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows mail\stationery" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temp\history\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\03j4uqw0" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\ketajp6d" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\vb18b0kb" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\xt1rpyg9" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\mm5o9xqs" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\pmmr5k9k" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\rijuql1c" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\x9ohk109" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\9qh4s0gz" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\abv8l7my" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\ikqeepzr" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\yg1r61z8" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\history" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\history\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\history\low" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\history\low\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\6asvn7j7" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\d68g7bij" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\kqmhsvkd" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\feeds cache\1nbur4hr" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\microsoft\windows mail\stationery" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temp\history\history.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\03j4uqw0" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\ketajp6d" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\vb18b0kb" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temp\temporary internet files\content.ie5\xt1rpyg9" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\mm5o9xqs" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\pmmr5k9k" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\rijuql1c" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\content.ie5\x9ohk109" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\9qh4s0gz" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\abv8l7my" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\ikqeepzr" has a changed appearance. ... VTI Actions Go to Behavior
Folder "c:\documents and settings\5p5nrgjn0js halpmcxz\appdata\local\application data\application data\application data\application data\application data\application data\application data\temporary internet files\low\content.ie5\yg1r61z8" has a changed appearance. ... VTI Actions
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Process	Process crashed	6	-
Process "c:\program files\microsoft office\weekends.exe" crashed. ... VTI Actions Go to process
Process "c:\program files (x86)\reference assemblies\mayor.exe" crashed. ... VTI Actions Go to process
Process "c:\program files\windows portable devices\dumb_si.exe" crashed. ... VTI Actions Go to process
Process "c:\program files (x86)\windows media player\guy coffee glenn.exe" crashed. ... VTI Actions Go to process
Process "c:\program files (x86)\java\budget nelson pantyhose.exe" crashed. ... VTI Actions Go to process
Process "c:\program files (x86)\mozilla firefox\forest.exe" crashed. ... VTI Actions Go to process
0/5	Process	Enumerates running processes	1	-
Enumerates running processes. ... VTI Actions Go to Behavior

Screenshots

Monitored Processes

Sample Information

ID	#647659
MD5	138b41384c5b507d13722a26206d1cad
SHA1	80c62c4abfd291c106fd36d1153d10744ed39f45
SHA256	6bf0c2bf0897f2def33481ed2e6f6eb8b71d3c9cf239b4dc463b3f3b8b5268bb
SSDeep	1536:oQH3HdBcDlO/3jOACLs8Vpa5pRJACD18u0srvvWAzZgylhsQBOsWqN6Fcd7Cjuvp:lHfYjscpVCZ8u0srX1TsIP60+Kvbl
ImpHash	64f84ba595559b0341bab9778bd27fed
Filename	_00270000.mem.exe
File Size	172.00 KB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-05-13 21:45 (UTC+2)
Analysis Duration	00:02:10
Number of Monitored Processes	50
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	1
Number of YARA Matches	7
Termination Reason	VM disk exhausted
Tags

Remarks (2/3)

VMRay Threat Indicators (16 rules, 135 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After