VMRay Analyzer Report for Sample #1555874
VMRay Analyzer
3.2.2
URI
kalpvedafoundation.com
Resolved_To
Address
192.185.76.89
URI
onedrive.live.com
Resolved_To
Address
13.107.42.13
URI
odc-web-geo.onedrive.akadns.net
Resolved_To
URI
odc-web-brs.onedrive.akadns.net
Resolved_To
URI
odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net
Resolved_To
URI
l-0004.l-msedge.net
Resolved_To
URI
tarot-sunce.com
Resolved_To
Address
178.218.167.4
Process
1
2876
winword.exe
1112
winword.exe
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n
C:\Users\aETAdzjz\Desktop\
c:\program files\microsoft office\root\office16\winword.exe
Child_Of
Process
2
3280
eqnedt32.exe
592
eqnedt32.exe
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Windows\system32\
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe
Child_Of
Created
Process
4
3380
fghvhghvgfdgfhchfg.exe
3280
fghvhghvgfdgfhchfg.exe
C:\Users\aETAdzjz\AppData\Roaming\fghvhghvgfdgfhchfg.exe
C:\Windows\system32\
c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe
Child_Of
Created
Created
Opened
Process
5
3448
fghvhghvgfdgfhchfg.exe
3380
fghvhghvgfdgfhchfg.exe
C:\Users\aETAdzjz\AppData\Roaming\fghvhghvgfdgfhchfg.exe
C:\Windows\system32\
c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe
Child_Of
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
14
3704
cmd.exe
3448
cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "fghvhghvgfdgfhchfg.exe"
C:\Users\aETAdzjz\AppData\Roaming\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
15
3740
timeout.exe
3704
timeout.exe
C:\Windows\system32\timeout.exe 3
C:\Users\aETAdzjz\AppData\Roaming\
c:\windows\syswow64\timeout.exe
Mutex
WinRegistryKey
SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE
Mutex
UA9D9D109-343A2EC6-89B2AFB8-7F3B18F0-E80C0038
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE
Version
WinRegistryKey
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER
Email
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
POP3 Password
SMTP Password
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
Email
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
POP3 Server
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
Email
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
POP3 User
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
POP3 Server
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
POP3 Port
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
IMAP Server
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
SMTP Server
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
Email
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
SMTP User
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
SMTP Server
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER
SMTP Port
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER
Email
WinRegistryKey
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USER
WinRegistryKey
Software\Martin Prikryl\WinSCP 2\Sessions\
HKEY_CURRENT_USER
WinRegistryKey
Software\monero-project\monero-core
HKEY_CURRENT_USER
wallet_path
WinRegistryKey
Software\Bitcoin\Bitcoin-Qt
HKEY_CURRENT_USER
strDataDir
WinRegistryKey
Software\BitcoinGold\BitcoinGold-Qt
HKEY_CURRENT_USER
strDataDir
WinRegistryKey
Software\BitCore\BitCore-Qt
HKEY_CURRENT_USER
strDataDir
WinRegistryKey
Software\Litecoin\Litecoin-Qt
HKEY_CURRENT_USER
strDataDir
WinRegistryKey
Software\BitcoinABC\BitcoinABC-Qt
HKEY_CURRENT_USER
strDataDir
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE
ProcessorNameString
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}
HKEY_LOCAL_MACHINE
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}
HKEY_LOCAL_MACHINE
DisplayVersion
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe
HKEY_CURRENT_USER
DisplayName
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe
HKEY_CURRENT_USER
DisplayVersion
WinRegistryKey
SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE
MachineGuid
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
ProductName
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
Analyzed Sample #1555874
Malware Artifacts
1555874
Sample-ID: #1555874
Job-ID: #4682824
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1555874
Submission-ID: #5397528
5ff8a87fd7626d4beab7a5be7f285f1d1d64478509f27aca6fd9deb3f69155e7rtf
MD5
1cc146d47918d23cee86a97c77f87918
SHA1
3d07f8db1010627f1481b5fde714185215971935
SHA256
5ff8a87fd7626d4beab7a5be7f285f1d1d64478509f27aca6fd9deb3f69155e7
Opened_By
Metadata of Analysis for Job-ID #4682824
False
Timeout
True
250.508
YKYD69Q
win7_64_sp1-mso2016
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
aETAdzjz
YKYD69Q
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Execution
VTI rule match with VTI rule score 4/5
vmray_document_creates_process
Document creates process "C:\Users\aETAdzjz\AppData\Roaming\fghvhghvgfdgfhchfg.exe".
Document tries to create process
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_evade_debugger_by_nt_set_information_thread
Hides Thread via API "NtSetInformationThread".
Tries to evade debugger
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "NtQueryInformationProcess".
Tries to detect debugger
Discovery
VTI rule match with VTI rule score 3/5
vmray_read_machine_guid
Reads the cryptographic machine GUID from registry.
Reads system data
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "UA9D9D109-343A2EC6-89B2AFB8-7F3B18F0-E80C0038".
Creates mutex
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Mozilla Firefox" by file.
Reads sensitive browser data
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_file
Tries to gather information about application "Mozilla Firefox" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Comodo IceDragon" by file.
Reads sensitive browser data
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_file
Tries to gather information about application "Comodo IceDragon" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Cyberfox" by file.
Reads sensitive browser data
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_file
Tries to gather information about application "Cyberfox" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Google Chrome" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Chrome Canary" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Yandex Browser" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Comodo Dragon" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Amigo" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Orbitum" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Chromium" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Vivaldi" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Sputnik" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Kometa" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Uran" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Epic Privacy Browser" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "CocCoc" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "CentBrowser" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "7Star" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Elements Browser" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Chedot" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Torch" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_vaulted_ie_creds_by_api
Trying to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_registry
Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_mail_creds_by_registry
Trying to read sensitive data of mail application "Microsoft Outlook" by registry.
Reads sensitive mail data
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_ftp_creds_by_file
Trying to read sensitive data of ftp application "FileZilla" by file.
Reads sensitive ftp data
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_file
Tries to gather information about application "FileZilla" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_registry
Trying to read sensitive data of application "WinSCP" by registry.
Reads sensitive application data
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_registry
Tries to gather information about application "WinSCP" by registry.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_other_app_creds_by_file
Trying to read sensitive data of application "Pidgin" by file.
Reads sensitive application data
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_file
Tries to gather information about application "Pidgin" by file.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 2/5
vmray_read_browser_creds_by_file
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
Reads sensitive browser data
Data Collection
VTI rule match with VTI rule score 3/5
vmray_read_wallet_location_by_file
Reads a cryptocurrency wallet.
Reads cryptocurrency wallet locations
Data Collection
VTI rule match with VTI rule score 3/5
vmray_read_wallet_location_by_file
Reads the cryptocurrency wallet "Electrum Bitcoin Wallet" for "BTC".
Reads cryptocurrency wallet locations
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_registry
Tries to gather information about application "Monero" by registry.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 3/5
vmray_read_wallet_location_by_registry
Reads the cryptocurrency wallet "Monero".
Reads cryptocurrency wallet locations
Discovery
VTI rule match with VTI rule score 2/5
vmray_recon_app_data_by_registry
Tries to gather information about application "Bitcoin-Qt" by registry.
Possibly does reconnaissance
Data Collection
VTI rule match with VTI rule score 3/5
vmray_read_wallet_location_by_registry
Reads the cryptocurrency wallet "Bitcoin-Qt".
Reads cryptocurrency wallet locations
Discovery
VTI rule match with VTI rule score 3/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Execution
VTI rule match with VTI rule score 4/5
vmray_document_creates_process
Document creates process "C:\Windows\system32\cmd.exe".
Document tries to create process
Execution
VTI rule match with VTI rule score 4/5
vmray_document_creates_process
Document creates process "C:\Windows\system32\timeout.exe".
Document tries to create process
Hide Tracks
VTI rule match with VTI rule score 4/5
vmray_delete_executed_executable
Deletes executed executable "c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe".
Deletes file after execution
Exploit
VTI rule match with VTI rule score 5/5
vmray_exploit_office_by_eqnedt32
Exploits Equation editor vulnerability CVE-2017-11882 or CVE-2018-0802 in MS Office.
Exploits a vulnerability in MS Office
Heuristics
VTI rule match with VTI rule score 1/5
vmray_has_embedded_files
Document contains unknown embedded files.
Contains embedded files
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_overwrite_code
Overwrites code to possibly hide behavior.
Overwrites code
System Modification
VTI rule match with VTI rule score 5/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtProtectVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtAllocateVirtualMemory".
Makes direct system call to possibly evade hooking based sandboxes
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Exploit.RTF-ObfsObjDat.Gen".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected "Trojan.GenericKD.44426822" in the response data of URL "http://kalpvedafoundation.com/amour/linkder.exe".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the downloaded file "C:\Users\aETAdzjz\AppData\Roaming\fghvhghvgfdgfhchfg.exe" as "Trojan.GenericKD.44426822".
Malicious content was detected by heuristic scan
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-console-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-datetime-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-debug-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-errorhandling-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-file-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-file-l1-2-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-file-l2-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-handle-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-heap-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-interlocked-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-libraryloader-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-localization-l1-2-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-memory-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-namedpipe-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-processenvironment-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-processthreads-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-processthreads-l1-1-1.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-profile-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-rtlsupport-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-string-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-synch-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-synch-l1-2-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-sysinfo-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-timezone-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-core-util-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-conio-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-convert-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-environment-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-filesystem-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-heap-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-locale-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-math-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-multibyte-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-private-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-process-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-runtime-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-stdio-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-string-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-time-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/api-ms-win-crt-utility-l1-1-0.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/freebl3.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/mozglue.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/msvcp140.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/nss3.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/nssdbm3.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/softokn3.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/ucrtbase.dll".
Drops PE file
Execution
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aETAdzjz\AppData\Local\Temp\41E341C3\/vcruntime140.dll".
Drops PE file
Exploit
VTI rule match with VTI rule score 4/5
vmray_possible_exploitation_doc
Office document may try to exploit a common vulnerability or exposure (CVE): CVE-2017-11882.
Possible exploitation attempt
Heuristics
VTI rule match with VTI rule score 2/5
vmray_has_suspicious_class_identifier
Office document contains suspicious class identifier "{00021700-0000-0000-C000-000000000046}" with IOCs.
Contains known suspicious class identifier
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_memory
"c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe" modifies memory of "c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe".
Writes into the memory of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 5/5
vmray_modify_control_flow_non_system
"c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe" alters context of "c:\users\aetadzjz\appdata\roaming\fghvhghvgfdgfhchfg.exe".
Modifies control flow of a process running from a created or modified executable
Network Connection
VTI rule match with VTI rule score 2/5
vmray_download_file_by_http_pcap_only
Downloads file via http from "http://kalpvedafoundation.com/amour/linkder.exe".
Downloads file
Network Connection
VTI rule match with VTI rule score 4/5
vmray_download_file_by_http_full
Downloads file via http from "tarot-sunce.com/linko/PL341/index.php".
Downloads file
Network Connection
VTI rule match with VTI rule score 2/5
vmray_establish_http_connection
URL "tarot-sunce.com/linko/PL341/index.php".
Connects to HTTP server
Network Connection
VTI rule match with VTI rule score 2/5
vmray_establish_http_connection
URL "http://kalpvedafoundation.com/amour/linkder.exe ".
Connects to HTTP server
Network Connection
VTI rule match with VTI rule score 2/5
vmray_establish_http_connection
URL "http://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21241&authkey=AGyBKeKMs6qKShY".
Connects to HTTP server
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
Reputation data labels file "C:\Users\aETAdzjz\AppData\Roaming\fghvhghvgfdgfhchfg.exe" as "Mal/Generic-S".
Known malicious file
Static Analysis Remark
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static engine was unable to completely parse the analyzed file: C:\Users\aETAdzjz\Desktop\API .doc.rtf.
Unparsable sections in file
YARA
VTI rule match with VTI rule score 3/5
vmray_yara_match_mid
Rule "Shellcode_Find_kernel32_PEB" from ruleset "Generic" has matched on a memory dump for process "fghvhghvgfdgfhchfg.exe".
Suspicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "Azorult_v3_Connection" from ruleset "Malware" has matched on request data of URL "tarot-sunce.com/linko/PL341/index.php".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "GuLoader_Shellcode" from ruleset "GuLoader" has matched on a memory dump for process "fghvhghvgfdgfhchfg.exe".
Malicious content matched by YARA rules
Data Collection
VTI rule match with VTI rule score 5/5
vmray_meta_classify_spyware_for_excessive_infosteal
Tries to read sensitive data of: Mozilla Firefox, Internet Explorer, CocCoc, BTC, Microsoft Outlook, Sputnik, Cyberfox, Kometa, Bitcoin-Qt, Comodo IceDragon, Monero, WinSCP, Comodo Dragon, Unknown, Orbitum, Chromium, Amigo, Vivaldi, Chrome Canary, Elements Browser, Epic Privacy Browser, FileZilla, Torch, Yandex Browser, Pidgin, 7Star, Chedot, Uran, CentBrowser, Internet Explorer / Edge, Google Chrome.
Exhibits Spyware behavior