VMRay Analyzer Report for Sample #18795 VMRay Analyzer 2.2.0 Process 1 2548 lxqfwvdqlkd.exe 1380 lxqfwvdqlkd.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe Child_Of Created Opened Opened Opened Created Opened Process 2 2596 lxqfwvdqlkd.exe 2548 lxqfwvdqlkd.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe Child_Of Read_From Read_From Process 3 1380 explorer.exe 18446744073709551615 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32\ c:\windows\explorer.exe Child_Of Child_Of Created Created Process 4 2608 autofmt.exe 1380 autofmt.exe "C:\Windows\SysWOW64\autofmt.exe" C:\Windows\system32\ c:\windows\syswow64\autofmt.exe Process 5 2616 msiexec.exe 1380 msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" C:\Windows\system32\ c:\windows\syswow64\msiexec.exe Child_Of Child_Of Child_Of Created Read_From Read_From Read_From Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Modified_Properties_Of Opened Opened Opened Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Process 6 2628 cmd.exe 2616 cmd.exe /c copy "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /V C:\Windows\system32\ c:\windows\syswow64\cmd.exe Child_Of Read_From Created Created Wrote_To Opened Opened Opened Process 7 2648 cmd.exe 2616 cmd.exe /c del "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" C:\Windows\system32\ c:\windows\syswow64\cmd.exe Deleted Opened Opened Opened Opened Opened Process 8 2824 firefox.exe 2616 firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" C:\Windows\system32\ c:\program files (x86)\mozilla firefox\firefox.exe Created Process 9 1340 igfxonux.scr 844 igfxonux.scr "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /S C:\Windows\system32\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr Child_Of Created Opened Opened Opened Created Opened Process 10 824 igfxonux.scr 1340 igfxonux.scr "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /S C:\Windows\system32\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr Child_Of Read_From Read_From Process 11 844 explorer.exe 688 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32\ c:\windows\explorer.exe Child_Of Child_Of Child_Of Created Created Process 12 1572 autochk.exe 844 autochk.exe "C:\Windows\SysWOW64\autochk.exe" C:\Windows\system32\ c:\windows\syswow64\autochk.exe Process 13 1588 cmstp.exe 844 cmstp.exe "C:\Windows\SysWOW64\cmstp.exe" C:\Windows\system32\ c:\windows\syswow64\cmstp.exe Child_Of Created Read_From Read_From Read_From Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Created Created Created Created Created Created Process 14 1756 firefox.exe 1588 firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" C:\Windows\system32\ c:\program files (x86)\mozilla firefox\firefox.exe Created Process 15 708 svchost.exe 472 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Mutex WinRegistryKey SOFTWARE\Microsoft\VBA\Monitors HKEY_LOCAL_MACHINE File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll File windows\syswow64\msiexec.exe windows\syswow64\msiexec.exe c:\ c:\windows\syswow64\msiexec.exe exe Mutex S-1-5-21-3388679-13801793209033 File windows\system32\drivers\etc\hosts windows\system32\drivers\etc\hosts c:\ c:\windows\system32\drivers\etc\hosts File users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr scr File program files (x86)\mozilla firefox\firefox.exe program files (x86)\mozilla firefox\firefox.exe c:\ c:\program files (x86)\mozilla firefox\firefox.exe exe File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll File users\5p5nrgjn0js halpmcxz\lxqfwvdqlkd.exe users\5p5nrgjn0js halpmcxz\lxqfwvdqlkd.exe c:\ c:\users\5p5nrgjn0js halpmcxz\lxqfwvdqlkd.exe exe File users\5p5nrgjn0js halpmcxz\appdata\roaming\lxqfwvdqlkd.exe users\5p5nrgjn0js halpmcxz\appdata\roaming\lxqfwvdqlkd.exe c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\lxqfwvdqlkd.exe exe File users\5p5nrg~1\appdata\local\temp\lxqfwvdqlkd.exe users\5p5nrg~1\appdata\local\temp\lxqfwvdqlkd.exe c:\ c:\users\5p5nrg~1\appdata\local\temp\lxqfwvdqlkd.exe exe File program files (x86)\lxqfwvdqlkd.exe program files (x86)\lxqfwvdqlkd.exe c:\ c:\program files (x86)\lxqfwvdqlkd.exe exe File program files (x86)\common files\lxqfwvdqlkd.exe program files (x86)\common files\lxqfwvdqlkd.exe c:\ c:\program files (x86)\common files\lxqfwvdqlkd.exe exe File programdata\lxqfwvdqlkd.exe programdata\lxqfwvdqlkd.exe c:\ c:\programdata\lxqfwvdqlkd.exe exe File users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe c:\ c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe exe File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini ini MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini ini MD5 e03f207a7b9cfc4d877ed2ec64be028e SHA1 8990d4c5b8a881e0a1593040564a9a6dc5664695 SHA256 b17183098b6e349844a3151456edf62c8e41b2348d2445a610c0ff1e29963067 File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini ini MD5 d63a82e5d81e02e399090af26db0b9cb SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9 SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae File users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data File users\5p5nrgjn0js halpmcxz\appdata\roaming\opera software\opera stable\login data users\5p5nrgjn0js halpmcxz\appdata\roaming\opera software\opera stable\login data c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\opera software\opera stable\login data File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini ini MD5 ba3b6bc807d4f76794c4b81b09bb9ba5 SHA1 24cb89501f0212ff3095ecc0aba97dd563718fb1 SHA256 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 Mutex L53886-WGVVJKAFC Mutex 8Q-59UAVA1ZvGWMZ WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS autochkDNAL2 C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr REG_SZ WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE ProductName WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\ HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main HKEY_LOCAL_MACHINE Install Directory WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ HKEY_USERS WinRegistryKey SOFTWARE\Mozilla\Mozilla Thunderbird\ HKEY_LOCAL_MACHINE File STD_INPUT_HANDLE File users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe c:\ c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe exe Copied_From File users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr scr MD5 f5aceff295707412e7679e7c0f3a797e SHA1 89c58b4bc7130630ff093afe1c57614a4b85ddc7 SHA256 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d Copied_To File STD_OUTPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe c:\ c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll File windows\syswow64\cmstp.exe windows\syswow64\cmstp.exe c:\ c:\windows\syswow64\cmstp.exe exe Mutex S-1-5-21-3388679-8441793209033 File windows\system32\drivers\etc\hosts windows\system32\drivers\etc\hosts c:\ c:\windows\system32\drivers\etc\hosts File users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr scr File program files (x86)\mozilla firefox\firefox.exe program files (x86)\mozilla firefox\firefox.exe c:\ c:\program files (x86)\mozilla firefox\firefox.exe exe File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll File users\5p5nrgjn0js halpmcxz\igfxonux.scr users\5p5nrgjn0js halpmcxz\igfxonux.scr c:\ c:\users\5p5nrgjn0js halpmcxz\igfxonux.scr scr File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini ini File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini ini File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini ini File users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\local\google\chrome\user data\default\login data File users\5p5nrgjn0js halpmcxz\appdata\roaming\opera software\opera stable\login data users\5p5nrgjn0js halpmcxz\appdata\roaming\opera software\opera stable\login data c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\opera software\opera stable\login data File users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini c:\ c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini ini Mutex L53886-WGVVJKAFC Mutex 8Q-59UAVA1ZvGWMZ WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE ProductName WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\ HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main HKEY_LOCAL_MACHINE Install Directory WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ HKEY_USERS WinRegistryKey S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_USERS File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll Analyzed Sample #18795 Malware Artifacts 18795 Sample-ID: #18795 Job-ID: #7824 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #18795 Submission-ID: #18925 C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe exe MD5 f5aceff295707412e7679e7c0f3a797e SHA1 89c58b4bc7130630ff093afe1c57614a4b85ddc7 SHA256 ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d Opened_By Metadata of Analysis for Job-ID #7824 Timeout False x86 64-bit win7_64_sp1 True Windows 7 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) 322.886 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create nameless mutex. Create system object Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve above average number of APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Create a page with write and execute permissions File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory. Modify operating system directory Anti Analysis VTI rule match with VTI rule score 2/5 vmray_detect_kernel_debugger_by_api Check via API "NtQuerySystemInformation". Try to detect kernel debugger Anti Analysis VTI rule match with VTI rule score 1/5 vmray_detect_debugger_by_api Check via API "NtQueryInformationProcess". Try to detect debugger Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" reads from "c:\windows\explorer.exe". Read from memory of another process Anti Analysis VTI rule match with VTI rule score 1/5 vmray_delay_execution_by_sleep One thread sleeps more than 5 minutes. Delay execution Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\autofmt.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\autofmt.exe" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\msiexec.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\msiexec.exe" starts with hidden window. Create process with hidden window File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\SysWOW64\msiexec.exe" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\SysWOW64\msiexec.exe" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" reads from "c:\windows\syswow64\msiexec.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "L53886-WGVVJKAFC". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "8Q-59UAVA1ZvGWMZ". Create system object Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmd.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\cmd.exe" starts with hidden window. Create process with hidden window Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" to windows startup via registry. Install system startup script or application File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory. Modify operating system directory Network VTI rule match with VTI rule score 3/5 vmray_read_hosts_file Read the current network configuration trough the host.conf file. Read network configuration Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\windows\syswow64\msiexec.exe" reads from "c:\windows\explorer.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "S-1-5-21-3388679-13801793209033". Create system object Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\windows\syswow64\msiexec.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" reads from "c:\windows\explorer.exe". Read from memory of another process Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\rdpclip.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\rdpclip.exe" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\autochk.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\autochk.exe" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 3/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmstp.exe". Illegitimate API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\cmstp.exe" starts with hidden window. Create process with hidden window File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" reads from "c:\program files\windows nt\hungry sage sender.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\windows\syswow64\cmstp.exe" reads from "c:\windows\explorer.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\windows\syswow64\cmstp.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "S-1-5-21-3388679-8441793209033". Create system object