VMRay Analyzer Report for Sample #1955750 VMRay Analyzer 2.1.0 Process 1 2376 Petya.dll 264 Petya.dll "C:\Windows\SysWOW64\AGakmVMR.exe" "C:\Users\HJRD1K~1\Desktop\Petya.dll" #1 C:\Windows\system32 c:\windows\syswow64\agakmvmr.exe Child_Of Child_Of Child_Of Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Connected_To Process 2 2400 cmd.exe 2376 cmd.exe /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15 C:\Windows\system32 c:\windows\syswow64\cmd.exe Child_Of Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 3 2416 6b4.tmp 2376 6b4.tmp "C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" \\.\pipe\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80} C:\Windows\system32 c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp Opened Opened Opened Created Opened Process 4 2460 schtasks.exe 2400 schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15 C:\Windows\system32 c:\windows\syswow64\schtasks.exe Child_Of Opened Opened Process 5 1380 taskeng.exe 860 taskeng.exe taskeng.exe {0D1FD9A9-3A1B-4884-B8AD-2AF772DB274D} S-1-5-21-1463843789-3877896393-3178144628-1000:1R6PFH\hJrD1KOKY DS8lUjv:Interactive:Highest[1] C:\Windows\system32 c:\windows\system32\taskeng.exe Process 6 2512 cmd.exe 2376 cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: C:\Windows\system32 c:\windows\syswow64\cmd.exe Child_Of Child_Of Child_Of Child_Of Child_Of Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 7 2532 wevtutil.exe 2512 wevtutil.exe wevtutil cl Setup C:\Windows\system32 c:\windows\syswow64\wevtutil.exe Process 8 2544 wevtutil.exe 2512 wevtutil.exe wevtutil cl System C:\Windows\system32 c:\windows\syswow64\wevtutil.exe Process 9 2556 wevtutil.exe 2512 wevtutil.exe wevtutil cl Security C:\Windows\system32 c:\windows\syswow64\wevtutil.exe Process 10 2568 wevtutil.exe 2512 wevtutil.exe wevtutil cl Application C:\Windows\system32 c:\windows\syswow64\wevtutil.exe Process 11 2580 fsutil.exe 2512 fsutil.exe fsutil usn deletejournal /D C: C:\Windows\system32 c:\windows\syswow64\fsutil.exe File users\hjrd1k~1\desktop\petya.dll users\hjrd1k~1\desktop\petya.dll c:\ c:\users\hjrd1k~1\desktop\petya.dll dll MD5 9a7ffe65e0912f9379ba6e8e0b079fde SHA1 532bea84179e2336caed26e31805ceaa7eec53dd SHA256 4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651 File windows\petya windows\petya c:\ c:\windows\petya File c: File \device\harddisk0\dr0 File users\hjrd1k~1\appdata\local\temp\6b4.tmp users\hjrd1k~1\appdata\local\temp\6b4.tmp c:\ c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File windows\dllhost.dat windows\dllhost.dat c:\ c:\windows\dllhost.dat dat MD5 aeee996fd3484f28e5cd85fe26b6bdcd SHA1 cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 SHA256 f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 File bootsect.bak bootsect.bak c:\ c:\bootsect.bak bak File readme.txt readme.txt c:\ c:\readme.txt txt MD5 e0e4d4e05040bae07d42939024791284 SHA1 4cc56bb43bb7fc38b3640a819e49161b03ec2924 SHA256 d42dffe59c922d99fb0531e9f47e7f4d091d3848318fb0dd89b1e928b43f2785 File Windows\Petya Windows\Petya C:\ C:\Windows\Petya File users\hjrd1k~1\appdata\local\temp\6b4.tmp users\hjrd1k~1\appdata\local\temp\6b4.tmp c:\ c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp tmp File \device\namedpipe\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80} File * * C:\ C:\* File $Recycle.Bin\* $Recycle.Bin\* C:\ C:\$Recycle.Bin\* Bin\* File $Recycle.Bin\S-1-5-21-1463843789-3877896393-3178144628-1000\* $Recycle.Bin\S-1-5-21-1463843789-3877896393-3178144628-1000\* C:\ C:\$Recycle.Bin\S-1-5-21-1463843789-3877896393-3178144628-1000\* Bin\S-1-5-21-1463843789-3877896393-3178144628-1000\* File Boot\* Boot\* C:\ C:\Boot\* File Boot\cs-CZ\* Boot\cs-CZ\* C:\ C:\Boot\cs-CZ\* File Boot\da-DK\* Boot\da-DK\* C:\ C:\Boot\da-DK\* File Boot\de-DE\* Boot\de-DE\* C:\ C:\Boot\de-DE\* File Boot\el-GR\* Boot\el-GR\* C:\ C:\Boot\el-GR\* File Boot\en-US\* Boot\en-US\* C:\ C:\Boot\en-US\* File Boot\es-ES\* Boot\es-ES\* C:\ C:\Boot\es-ES\* File Boot\fi-FI\* Boot\fi-FI\* C:\ C:\Boot\fi-FI\* File Boot\Fonts\* Boot\Fonts\* C:\ C:\Boot\Fonts\* File Boot\fr-FR\* Boot\fr-FR\* C:\ C:\Boot\fr-FR\* File Boot\hu-HU\* Boot\hu-HU\* C:\ C:\Boot\hu-HU\* File Boot\it-IT\* Boot\it-IT\* C:\ C:\Boot\it-IT\* File Boot\ja-JP\* Boot\ja-JP\* C:\ C:\Boot\ja-JP\* File Boot\ko-KR\* Boot\ko-KR\* C:\ C:\Boot\ko-KR\* File Boot\nb-NO\* Boot\nb-NO\* C:\ C:\Boot\nb-NO\* File Boot\nl-NL\* Boot\nl-NL\* C:\ C:\Boot\nl-NL\* File Boot\pl-PL\* Boot\pl-PL\* C:\ C:\Boot\pl-PL\* File Boot\pt-BR\* Boot\pt-BR\* C:\ C:\Boot\pt-BR\* File Boot\pt-PT\* Boot\pt-PT\* C:\ C:\Boot\pt-PT\* File Boot\ru-RU\* Boot\ru-RU\* C:\ C:\Boot\ru-RU\* File Boot\sv-SE\* Boot\sv-SE\* C:\ C:\Boot\sv-SE\* File Boot\tr-TR\* Boot\tr-TR\* C:\ C:\Boot\tr-TR\* File Boot\zh-CN\* Boot\zh-CN\* C:\ C:\Boot\zh-CN\* File Boot\zh-HK\* Boot\zh-HK\* C:\ C:\Boot\zh-HK\* File Boot\zh-TW\* Boot\zh-TW\* C:\ C:\Boot\zh-TW\* File PerfLogs\* PerfLogs\* C:\ C:\PerfLogs\* File PerfLogs\Admin\* PerfLogs\Admin\* C:\ C:\PerfLogs\Admin\* File Program Files\* Program Files\* C:\ C:\Program Files\* File Program Files\Common Files\* Program Files\Common Files\* C:\ C:\Program Files\Common Files\* File Program Files\Common Files\Microsoft Shared\* Program Files\Common Files\Microsoft Shared\* C:\ C:\Program Files\Common Files\Microsoft Shared\* File Program Files\Common Files\Microsoft Shared\ink\* Program Files\Common Files\Microsoft Shared\ink\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\* File Program Files\Common Files\Microsoft Shared\ink\ar-SA\* Program Files\Common Files\Microsoft Shared\ink\ar-SA\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\* File Program Files\Common Files\Microsoft Shared\ink\bg-BG\* Program Files\Common Files\Microsoft Shared\ink\bg-BG\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\* File Program Files\Common Files\Microsoft Shared\ink\cs-CZ\* Program Files\Common Files\Microsoft Shared\ink\cs-CZ\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\* File Program Files\Common Files\Microsoft Shared\ink\da-DK\* Program Files\Common Files\Microsoft Shared\ink\da-DK\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\* File Program Files\Common Files\Microsoft Shared\ink\de-DE\* Program Files\Common Files\Microsoft Shared\ink\de-DE\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\* File Program Files\Common Files\Microsoft Shared\ink\el-GR\* Program Files\Common Files\Microsoft Shared\ink\el-GR\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\* File Program Files\Common Files\Microsoft Shared\ink\en-US\* Program Files\Common Files\Microsoft Shared\ink\en-US\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\en-US\* File Program Files\Common Files\Microsoft Shared\ink\es-ES\* Program Files\Common Files\Microsoft Shared\ink\es-ES\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\* File Program Files\Common Files\Microsoft Shared\ink\et-EE\* Program Files\Common Files\Microsoft Shared\ink\et-EE\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\* File Program Files\Common Files\Microsoft Shared\ink\fi-FI\* Program Files\Common Files\Microsoft Shared\ink\fi-FI\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\* File Program Files\Common Files\Microsoft Shared\ink\fr-FR\* Program Files\Common Files\Microsoft Shared\ink\fr-FR\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\* File Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\* Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\* File Program Files\Common Files\Microsoft Shared\ink\he-IL\* Program Files\Common Files\Microsoft Shared\ink\he-IL\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\* File Program Files\Common Files\Microsoft Shared\ink\hr-HR\* Program Files\Common Files\Microsoft Shared\ink\hr-HR\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\* File Program Files\Common Files\Microsoft Shared\ink\hu-HU\* Program Files\Common Files\Microsoft Shared\ink\hu-HU\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\* File Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\* Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\* File Program Files\Common Files\Microsoft Shared\ink\it-IT\* Program Files\Common Files\Microsoft Shared\ink\it-IT\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\* File Program Files\Common Files\Microsoft Shared\ink\ja-JP\* Program Files\Common Files\Microsoft Shared\ink\ja-JP\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\* File Program Files\Common Files\Microsoft Shared\ink\ko-KR\* Program Files\Common Files\Microsoft Shared\ink\ko-KR\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\* File Program Files\Common Files\Microsoft Shared\ink\lt-LT\* Program Files\Common Files\Microsoft Shared\ink\lt-LT\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\* File Program Files\Common Files\Microsoft Shared\ink\lv-LV\* Program Files\Common Files\Microsoft Shared\ink\lv-LV\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\* File Program Files\Common Files\Microsoft Shared\ink\nb-NO\* Program Files\Common Files\Microsoft Shared\ink\nb-NO\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\* File Program Files\Common Files\Microsoft Shared\ink\nl-NL\* Program Files\Common Files\Microsoft Shared\ink\nl-NL\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\* File Program Files\Common Files\Microsoft Shared\ink\pl-PL\* Program Files\Common Files\Microsoft Shared\ink\pl-PL\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\* File Program Files\Common Files\Microsoft Shared\ink\pt-BR\* Program Files\Common Files\Microsoft Shared\ink\pt-BR\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\* File Program Files\Common Files\Microsoft Shared\ink\pt-PT\* Program Files\Common Files\Microsoft Shared\ink\pt-PT\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\* File Program Files\Common Files\Microsoft Shared\ink\ro-RO\* Program Files\Common Files\Microsoft Shared\ink\ro-RO\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\* File Program Files\Common Files\Microsoft Shared\ink\ru-RU\* Program Files\Common Files\Microsoft Shared\ink\ru-RU\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\* File Program Files\Common Files\Microsoft Shared\ink\sk-SK\* Program Files\Common Files\Microsoft Shared\ink\sk-SK\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\* File Program Files\Common Files\Microsoft Shared\ink\sl-SI\* Program Files\Common Files\Microsoft Shared\ink\sl-SI\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\* File Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\* Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\* File Program Files\Common Files\Microsoft Shared\ink\sv-SE\* Program Files\Common Files\Microsoft Shared\ink\sv-SE\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\* File Program Files\Common Files\Microsoft Shared\ink\th-TH\* Program Files\Common Files\Microsoft Shared\ink\th-TH\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\* File Program Files\Common Files\Microsoft Shared\ink\tr-TR\* Program Files\Common Files\Microsoft Shared\ink\tr-TR\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\* File Program Files\Common Files\Microsoft Shared\ink\uk-UA\* Program Files\Common Files\Microsoft Shared\ink\uk-UA\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\* File Program Files\Common Files\Microsoft Shared\ink\zh-CN\* Program Files\Common Files\Microsoft Shared\ink\zh-CN\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\* File Program Files\Common Files\Microsoft Shared\ink\zh-TW\* Program Files\Common Files\Microsoft Shared\ink\zh-TW\* C:\ C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\* File Program Files\Common Files\Microsoft Shared\MSInfo\* Program Files\Common Files\Microsoft Shared\MSInfo\* C:\ C:\Program Files\Common Files\Microsoft Shared\MSInfo\* File Program Files\Common Files\Microsoft Shared\MSInfo\en-US\* Program Files\Common Files\Microsoft Shared\MSInfo\en-US\* C:\ C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\* File Program Files\Common Files\Microsoft Shared\Stationery\* Program Files\Common Files\Microsoft Shared\Stationery\* C:\ C:\Program Files\Common Files\Microsoft Shared\Stationery\* File Program Files\Common Files\Microsoft Shared\TextConv\* Program Files\Common Files\Microsoft Shared\TextConv\* C:\ C:\Program Files\Common Files\Microsoft Shared\TextConv\* File Program Files\Common Files\Microsoft Shared\TextConv\en-US\* Program Files\Common Files\Microsoft Shared\TextConv\en-US\* C:\ C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\* File Program Files\Common Files\Microsoft Shared\Triedit\* Program Files\Common Files\Microsoft Shared\Triedit\* C:\ C:\Program Files\Common Files\Microsoft Shared\Triedit\* File Program Files\Common Files\Microsoft Shared\Triedit\en-US\* Program Files\Common Files\Microsoft Shared\Triedit\en-US\* C:\ C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\* File Program Files\Common Files\Microsoft Shared\VC\* Program Files\Common Files\Microsoft Shared\VC\* C:\ C:\Program Files\Common Files\Microsoft Shared\VC\* File Program Files\Common Files\Microsoft Shared\VGX\* Program Files\Common Files\Microsoft Shared\VGX\* C:\ C:\Program Files\Common Files\Microsoft Shared\VGX\* File Program Files\Common Files\Services\* Program Files\Common Files\Services\* C:\ C:\Program Files\Common Files\Services\* File Program Files\Common Files\SpeechEngines\* Program Files\Common Files\SpeechEngines\* C:\ C:\Program Files\Common Files\SpeechEngines\* File Program Files\Common Files\SpeechEngines\Microsoft\* Program Files\Common Files\SpeechEngines\Microsoft\* C:\ C:\Program Files\Common Files\SpeechEngines\Microsoft\* File Program Files\Common Files\SpeechEngines\Microsoft\TTS20\* Program Files\Common Files\SpeechEngines\Microsoft\TTS20\* C:\ C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\* File Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\* Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\* C:\ C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\* File Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\* Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\* C:\ C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\* File Program Files\Common Files\System\* Program Files\Common Files\System\* C:\ C:\Program Files\Common Files\System\* File Program Files\Common Files\System\ado\* Program Files\Common Files\System\ado\* C:\ C:\Program Files\Common Files\System\ado\* File Program Files\Common Files\System\ado\en-US\* Program Files\Common Files\System\ado\en-US\* C:\ C:\Program Files\Common Files\System\ado\en-US\* File Program Files\Common Files\System\en-US\* Program Files\Common Files\System\en-US\* C:\ C:\Program Files\Common Files\System\en-US\* File Program Files\Common Files\System\msadc\* Program Files\Common Files\System\msadc\* C:\ C:\Program Files\Common Files\System\msadc\* File Program Files\Common Files\System\msadc\en-US\* Program Files\Common Files\System\msadc\en-US\* C:\ C:\Program Files\Common Files\System\msadc\en-US\* File Program Files\Common Files\System\Ole DB\* Program Files\Common Files\System\Ole DB\* C:\ C:\Program Files\Common Files\System\Ole DB\* File Program Files\Common Files\System\Ole DB\en-US\* Program Files\Common Files\System\Ole DB\en-US\* C:\ C:\Program Files\Common Files\System\Ole DB\en-US\* File Program Files\DVD Maker\* Program Files\DVD Maker\* C:\ C:\Program Files\DVD Maker\* File Program Files\DVD Maker\en-US\* Program Files\DVD Maker\en-US\* C:\ C:\Program Files\DVD Maker\en-US\* File Program Files\DVD Maker\Shared\* Program Files\DVD Maker\Shared\* C:\ C:\Program Files\DVD Maker\Shared\* File Program Files\DVD Maker\Shared\DvdStyles\* Program Files\DVD Maker\Shared\DvdStyles\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\* File Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\* Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\* File Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\* Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\* File Program Files\DVD Maker\Shared\DvdStyles\FlipPage\* Program Files\DVD Maker\Shared\DvdStyles\FlipPage\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\* File Program Files\DVD Maker\Shared\DvdStyles\Full\* Program Files\DVD Maker\Shared\DvdStyles\Full\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\Full\* File Program Files\DVD Maker\Shared\DvdStyles\HueCycle\* Program Files\DVD Maker\Shared\DvdStyles\HueCycle\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\* File Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\* Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\* File Program Files\DVD Maker\Shared\DvdStyles\Memories\* Program Files\DVD Maker\Shared\DvdStyles\Memories\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\* File Program Files\DVD Maker\Shared\DvdStyles\OldAge\* Program Files\DVD Maker\Shared\DvdStyles\OldAge\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\* File Program Files\DVD Maker\Shared\DvdStyles\Performance\* Program Files\DVD Maker\Shared\DvdStyles\Performance\* C:\ C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\* File Users\HJRD1K~1\Desktop\Petya.dll Users\HJRD1K~1\Desktop\Petya.dll C:\ C:\Users\HJRD1K~1\Desktop\Petya.dll dll SocketAddress 192.168.0.0 445 TCP NetworkSocket 192.168.0.0 445 TCP Contains File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File Windows\system32 Windows\system32 C:\ C:\Windows\system32 File Windows Windows C:\ C:\Windows File Windows\System32 Windows\System32 C:\ C:\Windows\System32 WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File Windows\SysWOW64\cmd.exe Windows\SysWOW64\cmd.exe C:\ C:\Windows\SysWOW64\cmd.exe exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File \device\namedpipe\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80} File Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp C:\ C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp tmp File STD_OUTPUT_HANDLE File Windows\SysWOW64\schtasks.exe Windows\SysWOW64\schtasks.exe C:\ C:\Windows\SysWOW64\schtasks.exe exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun Analyzed Sample #1955750 Malware Artifacts 1955750 Sample-ID: #1955750 Job-ID: #9982079 This sample was analyzed by VMRay Analyzer 2.1.0 on a Windows 7 system 100 VTI Score based on VTI Database Version 2.5 Metadata of Sample File #1955750 Submission-ID: #2782989 C:\Users\hJrD1KOKY DS8lUjv\Desktop\Petya.dll dll MD5 71b6a493388e7d0b40c83ce903bc6b04 SHA1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d SHA256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 Opened_By Metadata of Analysis for Job-ID #9982079 RAM disk exhausted False x86 64-bit win7_64_sp1 True Windows 7 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) 245.608 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_enable_process_privileges Enable process privilege "SeShutdownPrivilege". Escalate Privileges Process VTI rule match with VTI rule score 1/5 vmray_enable_process_privileges Enable process privilege "SeDebugPrivilege". Escalate Privileges Process VTI rule match with VTI rule score 2/5 vmray_enable_critical_process_privileges Enable critical process privilege "SeTcbPrivilege". Escalate Privileges Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). Allocate a page with write and execute permissions Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve above average number of APIs. Dynamic API usage Device VTI rule match with VTI rule score 2/5 vmray_access_physical_drive Access physical drive "\device\harddisk0\dr0". Access physical drive Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\cmd.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_read_from_remote_process "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp" reads from "c:\windows\system32\lsass.exe". Read from memory of an other process File System VTI rule match with VTI rule score 1/5 vmray_modify_windows_dir_by_file Modify "c:\windows\dllhost.dat". Modify operating system directory Network VTI rule match with VTI rule score 3/5 vmray_connect_to_smb_share Connect to a network share at \\192.168.0.1\admin$. Connect to SMB share OS VTI rule match with VTI rule score 1/5 vmray_use_encryption_api Use above average number of encryption APIs. Use encryption API Device VTI rule match with VTI rule score 5/5 vmray_write_mbr_by_ginformation Write 512 bytes to master boot record (MBR). Write master boot record (MBR) File System VTI rule match with VTI rule score 4/5 vmray_handle_with_malicious_files File "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp" is a known malicious file. Handle with malicious files PE VTI rule match with VTI rule score 1/5 vmray_drop_pe_file Drop file "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp". Drop PE file PE VTI rule match with VTI rule score 1/5 vmray_drop_pe_file Drop file "c:\windows\dllhost.dat". Drop PE file PE VTI rule match with VTI rule score 1/5 vmray_execute_dropped_pe_file Execute dropped file "c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp". Execute dropped PE file