VMRay Analyzer Report for Sample #19992 VMRay Analyzer 2.2.0 Process 1 2376 ifzkkpwij.exe 1372 ifzkkpwij.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe Child_Of Created Created Created Process 2 2400 rundll32.exe 2376 rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\rundll32.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Created Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Process 3 2420 cmd.exe 2400 cmd.exe /c schtasks /Delete /F /TN rhaegal C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 4 2440 schtasks.exe 2420 schtasks.exe schtasks /Delete /F /TN rhaegal C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\schtasks.exe Opened Process 5 2456 cmd.exe 2400 cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1550063777 && exit" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 6 2480 cmd.exe 2400 cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:34:00 C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 7 2488 schtasks.exe 2456 schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1550063777 && exit" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\schtasks.exe Child_Of Child_Of Opened Process 8 2516 41d0.tmp 2400 41d0.tmp "C:\Windows\41D0.tmp" \\.\pipe\{2FDFCF81-BD74-41C3-9115-F628925CC568} C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\41d0.tmp Opened Opened Opened Wrote_To Process 9 2544 schtasks.exe 2480 schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:34:00 C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\schtasks.exe Child_Of Opened Process 10 1728 taskeng.exe 840 taskeng.exe taskeng.exe {E7027C3A-1DB2-40E8-88FC-68D4A38CC290} S-1-5-18:NT AUTHORITY\System:Service: C:\Windows\system32\ c:\windows\system32\taskeng.exe Process 11 1468 taskeng.exe 840 taskeng.exe taskeng.exe {896F3D9B-55A7-4F1F-A74F-2820A0C0801C} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] C:\Windows\system32\ c:\windows\system32\taskeng.exe Process 12 2616 cmd.exe 2400 cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Child_Of Child_Of Child_Of Child_Of Created Opened Opened Opened Opened Opened Process 13 2636 wevtutil.exe 2616 wevtutil.exe wevtutil cl Setup C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\wevtutil.exe Process 14 2648 wevtutil.exe 2616 wevtutil.exe wevtutil cl System C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\wevtutil.exe Process 15 2660 wevtutil.exe 2616 wevtutil.exe wevtutil cl Security C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\wevtutil.exe Process 16 2672 wevtutil.exe 2616 wevtutil.exe wevtutil cl Application C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\wevtutil.exe Process 17 2684 fsutil.exe 2616 fsutil.exe fsutil usn deletejournal /D C: C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\fsutil.exe Process 18 2692 cmd.exe 2400 cmd.exe /c schtasks /Delete /F /TN drogon C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ c:\windows\syswow64\cmd.exe Opened Opened Opened Opened Opened Process 19 1092 taskeng.exe 884 taskeng.exe taskeng.exe {4222EA2E-0F28-4DC3-9F30-F6A79682CE97} S-1-5-18:NT AUTHORITY\System:Service: C:\Windows\system32\ c:\windows\system32\taskeng.exe Child_Of Process 20 4 System 18446744073709551615 System None System Child_Of Process 21 264 smss.exe 4 smss.exe \SystemRoot\System32\smss.exe C:\Windows c:\windows\system32\smss.exe Child_Of Child_Of Child_Of Child_Of Process 22 332 csrss.exe 324 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 C:\Windows\system32 c:\windows\system32\csrss.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Process 23 380 wininit.exe 324 wininit.exe wininit.exe C:\Windows\system32 c:\windows\system32\wininit.exe Child_Of Child_Of Child_Of Process 24 392 csrss.exe 372 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 C:\Windows\system32 c:\windows\system32\csrss.exe Process 25 436 winlogon.exe 372 winlogon.exe winlogon.exe C:\Windows\system32 c:\windows\system32\winlogon.exe Child_Of Child_Of Process 26 472 services.exe 380 services.exe C:\Windows\system32\services.exe C:\Windows\system32\ c:\windows\system32\services.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Process 27 480 lsass.exe 380 lsass.exe C:\Windows\system32\lsass.exe C:\Windows\system32\ c:\windows\system32\lsass.exe Process 28 488 lsm.exe 380 lsm.exe C:\Windows\system32\lsm.exe C:\Windows\system32\ c:\windows\system32\lsm.exe Process 29 604 svchost.exe 472 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Child_Of Child_Of Process 30 672 svchost.exe 472 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\ c:\windows\system32\svchost.exe Process 31 720 svchost.exe 472 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Process 32 792 logonui.exe 436 logonui.exe "LogonUI.exe" /flags:0x0 C:\Windows\system32\ c:\windows\system32\logonui.exe Process 33 828 svchost.exe 472 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Process 34 884 svchost.exe 472 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\system32\svchost.exe Process 35 944 audiodg.exe 720 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2e4 C:\Windows c:\windows\system32\audiodg.exe Process 36 284 svchost.exe 472 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 37 312 svchost.exe 472 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 38 1060 dllhost.exe 604 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 39 1084 spoolsv.exe 472 spoolsv.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\ c:\windows\system32\spoolsv.exe Process 40 1148 svchost.exe 472 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\ c:\windows\system32\svchost.exe Process 41 1184 taskhost.exe 472 taskhost.exe "taskhost.exe" C:\Windows\system32\ c:\windows\system32\taskhost.exe Process 42 1236 userinit.exe 436 userinit.exe C:\Windows\system32\userinit.exe C:\Windows\system32\ c:\windows\system32\userinit.exe Child_Of Process 43 1252 dwm.exe 828 dwm.exe "C:\Windows\system32\Dwm.exe" C:\Windows\system32\ c:\windows\system32\dwm.exe Process 44 1264 explorer.exe 1236 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32\ c:\windows\explorer.exe Child_Of Child_Of Process 45 1416 bcssync.exe 1264 bcssync.exe "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices C:\Windows\system32\ c:\program files\microsoft office\office14\bcssync.exe Process 46 1424 runonce.exe 1264 runonce.exe C:\Windows\SysWOW64\runonce.exe /Run6432 C:\Windows\SysWOW64\ c:\windows\syswow64\runonce.exe Child_Of Child_Of Child_Of Process 47 1576 dllhost.exe 604 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 48 1656 reader_sl.exe 1424 reader_sl.exe "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe" C:\Windows\SysWOW64\ c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe Process 49 1672 adobearm.exe 1424 adobearm.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" C:\Windows\SysWOW64\ c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe Process 50 1688 jusched.exe 1424 jusched.exe "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" C:\Windows\SysWOW64\ c:\program files (x86)\common files\java\java update\jusched.exe Process 51 2028 taskhost.exe 472 taskhost.exe taskhost.exe SYSTEM C:\Windows\system32\ c:\windows\system32\taskhost.exe Process 52 824 cmd.exe 1092 cmd.exe C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1550063777 && exit C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 53 820 conhost.exe 332 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32\ c:\windows\system32\conhost.exe Process 54 844 dispci.exe 824 dispci.exe "C:\Windows\dispci.exe" -id 1550063777 C:\Windows\system32\ c:\windows\dispci.exe Child_Of Child_Of Child_Of Child_Of Created Opened Opened Opened Wrote_To Created Created Process 55 1568 conhost.exe 332 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32\ c:\windows\system32\conhost.exe Process 56 1528 cmd.exe 844 cmd.exe /c schtasks /Delete /F /TN rhaegal C:\Windows\system32\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 57 1616 cmd.exe 844 cmd.exe /c schtasks /Delete /F /TN drogon C:\Windows\system32\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 58 1684 conhost.exe 332 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32\ c:\windows\system32\conhost.exe Process 59 1640 conhost.exe 332 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32\ c:\windows\system32\conhost.exe Process 60 1692 cmd.exe 844 cmd.exe /c schtasks /Create /SC ONCE /TN viserion_1 /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:20:00 C:\Windows\system32\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 61 1612 conhost.exe 332 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32\ c:\windows\system32\conhost.exe Process 62 1788 cmd.exe 844 cmd.exe /c schtasks /Delete /F /TN viserion_0 C:\Windows\system32\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 63 1672 conhost.exe 332 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32\ c:\windows\system32\conhost.exe Process 64 1800 dllhost.exe 604 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 65 1836 schtasks.exe 1528 schtasks.exe schtasks /Delete /F /TN rhaegal C:\Windows\system32\ c:\windows\syswow64\schtasks.exe Opened Process 66 1668 schtasks.exe 1692 schtasks.exe schtasks /Create /SC ONCE /TN viserion_1 /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:20:00 C:\Windows\system32\ c:\windows\syswow64\schtasks.exe Opened Process 67 1368 schtasks.exe 1616 schtasks.exe schtasks /Delete /F /TN drogon C:\Windows\system32\ c:\windows\syswow64\schtasks.exe Opened Process 68 1604 schtasks.exe 1788 schtasks.exe schtasks /Delete /F /TN viserion_0 C:\Windows\system32\ c:\windows\syswow64\schtasks.exe Opened File users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe c:\ c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe exe File windows\infpub.dat windows\infpub.dat c:\ c:\windows\infpub.dat dat MD5 1d724f95c61f1055f0d02c2154bbccd3 SHA1 79116fe99f2b421c52ef64097f0f39b815b20907 SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 File windows\infpub.dat windows\infpub.dat c:\ c:\windows\infpub.dat dat File windows\cscc.dat windows\cscc.dat c:\ c:\windows\cscc.dat dat MD5 edb72f4a46c39452d1a5414f7d26454a SHA1 08f94684e83a27f2414f439975b7f8a6d61fc056 SHA256 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 File windows\dispci.exe windows\dispci.exe c:\ c:\windows\dispci.exe exe MD5 b14d8faf7f0cbcfad051cefe5f39645f SHA1 afeee8b4acff87bc469a6f0364a81ae5d60a2add SHA256 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 File windows\41d0.tmp windows\41d0.tmp c:\ c:\windows\41d0.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File bootsect.bak bootsect.bak c:\ c:\bootsect.bak bak File msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab c:\ c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab cab MD5 87cf3392dfc386ebd494fa4e72b747fc SHA1 f940f7e3770462a4809bad3e995ae46d522190ef SHA256 fa125a9e042003f5443f6c8ac5eb108cd7a5483eab39e1b3b5c059d60215d9e7 File msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml c:\ c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml xml MD5 a20a768a81afee200bf6db18a3056541 SHA1 3592d4d77e481c9b7eaa614deeb36e72a994218e SHA256 448403a1b7ca253b91174d36a3881cc183d2ffeaaa3eed0496d802539538c114 File msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 a5cfdf621750a94cbc0f0719a533eaf4 SHA1 6e282e3fb7afc487422d73271a729e7e4718a328 SHA256 dfe114759d655205b57f759e89f6da508d36aa1a4a84cee2fc6d743ef2655d40 File msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml c:\ c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml xml MD5 380dcda4098e62f1f5664921cf6cdd6c SHA1 0c64f4559ed2f12cf42ee1ff2dd14d806e16ce87 SHA256 12744847431c8b2fc23c7e47dc6ec275419958ebdbcb39af589eda58dce9ead3 File msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab c:\ c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab cab MD5 43425a50ee06e30dd272c3ff17bb0427 SHA1 230a74cfbf7ae520dd726174711e0d3533f60fff SHA256 752cc8c341f4e4d0a6036607a12df396047a4e9f3a461be21dadea54f5de67a3 File msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 be16f68fd043d935ad963ea4c3d736bc SHA1 3693091b6827d78dd9414a6f485abb53b8edfbca SHA256 e21fac606118ecf75d5a4d1966574895104dd3024f7122339edbabb634cf5d13 File msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml c:\ c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml xml MD5 cf6fa18c52894350bea091528fc31218 SHA1 7057c7772d2b3290ddea402ff765e67901afaa63 SHA256 8f2a61e71446971c5f5010abf0d324222993e7f79e0b3a3a8d6719eb9f3f2546 File msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab c:\ c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab cab MD5 85a68488be13ebc093b067ea1475ccf4 SHA1 3fc88da1570badea2c61a9517e06e1a41e51035b SHA256 7cda2a6ea0faca19b16802165b3a6add583fe06141ee843e5b8c10f89a9106bb File msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 146cee28b00dbf679ed697b6f33d6fc0 SHA1 4b22431fa5e445f6f630e7f8a6b668125c4d3ec3 SHA256 a32fc1e86edbf4a24426684c8700693b511c649ddd36e25090018e00f37e7300 File msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab c:\ c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab cab MD5 ea9b20690debbe698df7bcdee8af861e SHA1 383953c3903f3def7f4a8dfc961b632bc747f58a SHA256 7a63a991eeae97834d4ee1911ccded08b7f9f47167bb73717551bedd1f3b3071 File msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml c:\ c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml xml MD5 3db069e923ed265020abbe0aeeb20516 SHA1 dde8ecfc4f9d094feb2e9b831193fcc4cddb98da SHA256 73c778eb6570c7c49aa0c5fc4b3b246f6bc335819cacd7f68716be0384068d9a File msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 4bde0423f361b421519b65c28bde6cc2 SHA1 4e05353ba59608761c42ab503768718fd4ea9d0e SHA256 87f2dc684dbabea1b50206f66acef5d1164deb93327b6cb03201e9f0b4e4735a File msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 2c56ebeae266b0945b278f8cb01732c8 SHA1 b29ffe456e5fb9ed0f8e90effbf30fc96862b153 SHA256 ffe497bab3fb4bd8401b6ded8d9f23d3bd07ac5d3ee0489ffa4f06254a053264 File msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab c:\ c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab cab MD5 8ab2632c2d433efc3b75df58f9d73dae SHA1 2d627a56bd4283688e4c69c4b418010b0c7d1820 SHA256 0a0c05a8af443700679eef4db9d19a12a22e19342bc56351be4738eb7f17f3d9 File msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml c:\ c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml xml MD5 5b5f9cedbc03caf54b38039ff2b1487b SHA1 fea2f54353593e4d88887393b651fdbb3ba79324 SHA256 425d33325b790e9ad234441f1a2adc245d397f19f07bbf53c6b53282c443cb8a File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab cab MD5 b7ed442d187f7892bc057b6004e83599 SHA1 cf0239dd6407ffb1bfaff75c154e5b6ff261be74 SHA256 e50f152da6840a55a0f185499b2381bac2668aa38a61d70ac191cc8f456025e0 File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml xml MD5 15153c4f2a05f30d0283700f557c85d2 SHA1 49e02205a4b52d394ff129472c75f31f24be11bd SHA256 5135fa2425ba2cdff867dc297ca432bcaef9bf0c3755c1304e4a661767f36607 File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab cab MD5 01522cc818e3cb5c1f88f0af6b71d2a9 SHA1 89ab8491fb830a0e1f96fa654820c80e3853e31a SHA256 72245180f2d45a7ff7fad89fda1cd0bf4aea2bc5f1467c58b56ecb83c86c146f File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml xml MD5 3b30045ad6c97ff866342decbf09ab28 SHA1 4bba2d45d8bca9bc168ca55f74d02c80eaaf6828 SHA256 a44f1691b44e6bd338b74ddaad4a6be3ec62789882a1cf42a53d6a97ba611c09 File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab cab MD5 0335234c7c545ba002aeb3df922f7686 SHA1 04a74035ae437f4fc5aaad4eb15931f65853e82b SHA256 669e004f14ac15858414dffdc0d4002a2fc54621f1b1ce33ae0c72ff26edd29a File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml xml MD5 d4ea0313aa839edf612c9ee1b33b92c5 SHA1 54de0ac01c3d5567499e29454eedaa473ed79d93 SHA256 882b5924b55e8ee500f7aff61a11abea43771ea12cc474a714ccfb8255ab2343 File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml xml MD5 f570a344598fb3126736a6ed636f069d SHA1 8333909319182a2e880bb757ec6498650fa81889 SHA256 1fd1b9d62a4c31ce9bbccc238b5c2968b64a6124a8c6fe1934ea7820326e0614 File msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 aad695e82a73aba6565adf1251f3bb6b SHA1 0d863f3a8d023547553c16663170df3dc63c2a79 SHA256 fa6379ddcc35d29cd142c0a68bc6fb0289ced7fcea8bd8328a544e7d3d5472c4 File msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml c:\ c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml xml MD5 5c46b16a535150be984a13005a582bb1 SHA1 ea8a7e2020fe6c3fb672596a0d13c548e6660dae SHA256 f2f29f4820305a8e6f1d233b87212df1f9deb506b6050090b4a5cca29f7872d9 File msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab c:\ c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab cab MD5 53dff27d197fac5fec615fd204378274 SHA1 724edbe96e984e05486c8f051f3f3cd7b4f50252 SHA256 034a8515267cffff2909d9d2c241aa7b63d1f1b9298f5c97b928830fc4003e4c File msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 938647548a6e4b74ea13e78465570a88 SHA1 72117b74130db120ea4631d81f05ba317719856f SHA256 bc8e71a789537b982077972a1d3cf2d5cf548e2c0d584e262198198d53398f23 File msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab c:\ c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab cab MD5 b1942518b15f0af4b81329b96a4cd97b SHA1 cd1bcdf2dcea0c11a73203fb61387fb5b20a33ec SHA256 eea2e87a37f7f432cb7761a90407d1ec10abb4311e59d8361e55a214cc97e546 File msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml c:\ c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml xml MD5 180f8b1fde6c589a1c9e529a8dedfb42 SHA1 885f800cd0d0904b4dac55a6c9b840ac34ca1b09 SHA256 614c51f1e9a2760f1f308724e5520d61749aaf8e3e282244bad26a4031e1aa47 File msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 fe2c346594a0317e1cd552fbb55709fa SHA1 e2afd9514e47e3708d68d5d7e0cb22cf348cde99 SHA256 18d690cf2acfd0f7b7cfcd994563e5ed40e2e1fae7466a8a6b8a372205c62195 File msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\setup.xml xml MD5 f11d38f5e08ff6023b55931f8836aee0 SHA1 728d5d4529be7a2e640df048a134f345c46b20d4 SHA256 88745aa40fb3f942c8df5b10a58eb80f95f8fdac2afb828962b8de98949dd55c File msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiolr.cab msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiolr.cab c:\ c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiolr.cab cab MD5 8a0831714fbd219ad2cc0411a7666ae3 SHA1 3aa7f94dc84e5db74d8a202deb652c5811f18a2d SHA256 c5ba50319cf18e9e9c71ca4c724a6ea66676c9138efe8cd2b2ce59c920c7c8f7 File msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiomui.xml msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiomui.xml c:\ c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiomui.xml xml File msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.xml msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.xml c:\ c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.xml xml File msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onotelr.cab msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onotelr.cab c:\ c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onotelr.cab cab File msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\setup.xml xml File msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projectmui.xml msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projectmui.xml c:\ c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projectmui.xml xml File msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projlr.cab msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projlr.cab c:\ c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projlr.cab cab File msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\setup.xml xml File msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovelr.cab msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovelr.cab c:\ c:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovelr.cab cab File msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovemui.xml msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovemui.xml c:\ c:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovemui.xml xml File msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\setup.xml xml File msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\branding.xml msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\branding.xml c:\ c:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\branding.xml xml File msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officelr.cab msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officelr.cab c:\ c:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officelr.cab cab File msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemui.xml msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemui.xml c:\ c:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemui.xml xml File msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemuiset.xml msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemuiset.xml c:\ c:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemuiset.xml xml File msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\setup.xml msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\setup.xml c:\ c:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\setup.xml xml File msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\accessmui.xml msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\accessmui.xml c:\ c:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\accessmui.xml xml File msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\acclr.cab msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\acclr.cab c:\ c:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\acclr.cab cab Mutex 9A1966663AD6FDE5 WinRegistryKey SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F} HKEY_LOCAL_MACHINE LowerFilters LowerFilters 1632268 REG_MULTI_SZ WinRegistryKey SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318} HKEY_LOCAL_MACHINE UpperFilters UpperFilters 1632268 REG_MULTI_SZ WinRegistryKey SYSTEM\CurrentControlSet\Control\CrashControl HKEY_LOCAL_MACHINE DumpFilters DumpFilters 1632268 REG_MULTI_SZ WinService cscc Windows Client Side Caching DDriver cscc.dat SERVICE_BOOT_START SERVICE_KERNEL_DRIVER SocketAddress 192.168.0.0 445 TCP NetworkSocket 192.168.0.0 445 TCP Contains SocketAddress 192.168.0.0 139 TCP NetworkSocket 192.168.0.0 139 TCP Contains SocketAddress 192.168.0.1 445 TCP NetworkSocket 192.168.0.1 445 TCP Contains SocketAddress 192.168.0.1 139 TCP NetworkSocket 192.168.0.1 139 TCP Contains SocketAddress 192.168.0.2 445 TCP NetworkSocket 192.168.0.2 445 TCP Contains SocketAddress 192.168.0.2 139 TCP NetworkSocket 192.168.0.2 139 TCP Contains SocketAddress 192.168.0.3 445 TCP NetworkSocket 192.168.0.3 445 TCP Contains SocketAddress 192.168.0.3 139 TCP NetworkSocket 192.168.0.3 139 TCP Contains File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File STD_ERROR_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File \device\namedpipe\{2fdfcf81-bd74-41c3-9115-f628925cc568} File STD_OUTPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File \device\harddisk0\dr0 File \device\dcrypt File c: File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_OUTPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Analyzed Sample #19992 Malware Artifacts 19992 Sample-ID: #19992 Job-ID: #12741 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #19992 Submission-ID: #20157 C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe exe MD5 fbbdc39af1139aebba4da004475e8839 SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0 SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da Opened_By Metadata of Analysis for Job-ID #12741 Timeout False x86 64-bit 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) win7_64_sp1 True None Windows 7 This is a property collection for additional information of VMRay analysis VMRay Analyzer File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "C:\Windows\infpub.dat" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\rundll32.exe" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve above average number of APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "9A1966663AD6FDE5". Create system object File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "C:\Windows\cscc.dat" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "C:\Windows\dispci.exe" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\cmd.exe" starts with hidden window. Create process with hidden window Persistence VTI rule match with VTI rule score 1/5 vmray_install_signed_kernel_driver Install signed kernel driver with service name "cscc". Install kernel driver File System VTI rule match with VTI rule score 1/5 vmray_create_file_in_os_dir Create file "C:\Windows\41D0.tmp" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\41D0.tmp" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\windows\41d0.tmp" reads from "c:\windows\system32\lsass.exe". Read from memory of another process Anti Analysis VTI rule match with VTI rule score 1/5 vmray_delay_execution_by_sleep One thread sleeps more than 5 minutes. Delay execution File System VTI rule match with VTI rule score 4/5 vmray_modify_user_files Modify the content of multiple user files. This is an indicator for an encryption attempt. Modify content of user files OS VTI rule match with VTI rule score 1/5 vmray_use_encryption_api Use above average number of encryption APIs. Use encryption API Device VTI rule match with VTI rule score 2/5 vmray_control_device_by_device_io_control Control device "\\.\dcrypt" through API DeviceIOControl. Control device Device VTI rule match with VTI rule score 2/5 vmray_control_device_by_device_io_control Control device "\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)" through API DeviceIOControl. Control device Device VTI rule match with VTI rule score 2/5 vmray_access_physical_drive Access physical drive "\device\harddisk0\dr0". Access physical drive Device VTI rule match with VTI rule score 2/5 vmray_control_device_by_device_io_control Control device "\\.\PhysicalDrive0" through API DeviceIOControl. Control device