VMRay Analyzer Report for Sample #1142772
VMRay Analyzer
3.2.2
URI
go.microsoft.com
Resolved_To
Address
23.197.15.213
URI
go.microsoft.com.edgekey.net
Resolved_To
URI
e11290.dspg.akamaiedge.net
Resolved_To
Process
1
5072
cmtppelyjtipf5ha.exe
1376
cmtppelyjtipf5ha.exe
"C:\Users\FD1HVy\Desktop\cMtPPElYjtIPF5hA.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\cmtppelyjtipf5ha.exe
Child_Of
Child_Of
Created
Opened
Opened
Process
2
236
control:bin
5072
control:bin
C:\Users\FD1HVy\AppData\Roaming\Control:bin -r
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\appdata\roaming\control:bin
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Opened
Opened
Created
Process
3
3924
vssadmin.exe
236
vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe Delete Shadows /All /Quiet
C:\Users\FD1HVy\Desktop\
c:\windows\system32\vssadmin.exe
Process
5
4848
takeown.exe
236
takeown.exe
C:\WINDOWS\system32\takeown.exe /F C:\WINDOWS\system32\Manufacturing.exe
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\takeown.exe
Process
7
4608
icacls.exe
236
icacls.exe
C:\WINDOWS\system32\icacls.exe C:\WINDOWS\system32\Manufacturing.exe /reset
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\icacls.exe
Process
9
4
System
18446744073709551615
System
None
System
Process
10
572
services.exe
476
services.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\
c:\windows\system32\services.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Process
11
676
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Process
12
772
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
13
940
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Child_Of
Child_Of
Child_Of
Child_Of
Process
14
960
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
15
984
svchost.exe
572
svchost.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Child_Of
Process
16
1016
svchost.exe
572
svchost.exe
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
17
848
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
18
1076
svchost.exe
572
svchost.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
19
1364
svchost.exe
572
svchost.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
20
1424
svchost.exe
572
svchost.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
21
1432
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
22
1456
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k appmodel
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
23
1512
spoolsv.exe
572
spoolsv.exe
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\
c:\windows\system32\spoolsv.exe
Process
24
1692
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k wsappx
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
25
1824
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
26
2072
officeclicktorun.exe
572
officeclicktorun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\WINDOWS\system32\
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
Process
27
2124
securityhealthservice.exe
572
securityhealthservice.exe
C:\WINDOWS\system32\SecurityHealthService.exe
C:\WINDOWS\system32\
c:\windows\system32\securityhealthservice.exe
Process
28
4680
svchost.exe
572
svchost.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\system32\
c:\windows\system32\svchost.exe
Process
29
912
trustedinstaller.exe
572
trustedinstaller.exe
C:\WINDOWS\servicing\TrustedInstaller.exe
C:\WINDOWS\system32\
c:\windows\servicing\trustedinstaller.exe
Process
30
3884
sppsvc.exe
572
sppsvc.exe
C:\WINDOWS\system32\sppsvc.exe
C:\WINDOWS
c:\windows\system32\sppsvc.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
31
4864
manufacturing.exe
572
manufacturing.exe
C:\WINDOWS\SysWOW64\Manufacturing.exe -s
C:\WINDOWS\system32\
c:\windows\syswow64\manufacturing.exe
Child_Of
Created
Created
Opened
Opened
Process
32
4932
taskhostw.exe
940
taskhostw.exe
taskhostw.exe -RegisterDevice -SettingChange -Full
C:\WINDOWS\system32\
c:\windows\system32\taskhostw.exe
Process
33
3376
sc.exe
940
sc.exe
C:\WINDOWS\system32\sc.exe start wuauserv
C:\WINDOWS\system32\
c:\windows\system32\sc.exe
Resumed
Process
34
3524
cmd.exe
4864
cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\WINDOWS\SysWOW64\Manufacturing.exe" & del "C:\WINDOWS\SysWOW64\Manufacturing.exe"
C:\WINDOWS\system32\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Process
36
3256
wmiadap.exe
940
wmiadap.exe
wmiadap.exe /F /T /R
C:\WINDOWS\system32\
c:\windows\system32\wbem\wmiadap.exe
Process
37
492
cmd.exe
236
cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\FD1HVy\AppData\Roaming\Control" & del "C:\Users\FD1HVy\AppData\Roaming\Control"
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Process
39
3804
cmd.exe
5072
cmd.exe
cmd /c choice /t 10 /d y & attrib -h "C:\Users\FD1HVy\Desktop\cMtPPElYjtIPF5hA.exe" & del "C:\Users\FD1HVy\Desktop\cMtPPElYjtIPF5hA.exe"
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Opened
Process
42
176
choice.exe
3524
choice.exe
choice /t 10 /d y
C:\WINDOWS\system32\
c:\windows\syswow64\choice.exe
Process
43
88
choice.exe
492
choice.exe
choice /t 10 /d y
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\choice.exe
Process
44
784
choice.exe
3804
choice.exe
choice /t 10 /d y
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\choice.exe
Process
45
5016
wmiprvse.exe
676
wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
C:\WINDOWS\system32\
c:\windows\system32\wbem\wmiprvse.exe
Process
46
2640
attrib.exe
3524
attrib.exe
attrib -h "C:\WINDOWS\SysWOW64\Manufacturing.exe"
C:\WINDOWS\system32\
c:\windows\syswow64\attrib.exe
Process
47
2452
attrib.exe
492
attrib.exe
attrib -h "C:\Users\FD1HVy\AppData\Roaming\Control"
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\attrib.exe
Process
48
4460
attrib.exe
3804
attrib.exe
attrib -h "C:\Users\FD1HVy\Desktop\cMtPPElYjtIPF5hA.exe"
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\attrib.exe
Process
49
3216
mpcmdrun.exe
984
mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
C:\WINDOWS\system32\
c:\program files\windows defender\mpcmdrun.exe
Process
51
4764
sppextcomobj.exe
676
sppextcomobj.exe
C:\WINDOWS\system32\SppExtComObj.exe -Embedding
C:\WINDOWS\system32\
c:\windows\system32\sppextcomobj.exe
Child_Of
Process
52
2920
slui.exe
4764
slui.exe
"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent
C:\WINDOWS\system32\
c:\windows\system32\slui.exe
Process
53
3760
slui.exe
676
slui.exe
C:\WINDOWS\System32\slui.exe -Embedding
C:\WINDOWS\system32\
c:\windows\system32\slui.exe
Process
55
4872
taskhostw.exe
940
taskhostw.exe
taskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly -NoLocation
C:\WINDOWS\system32\
c:\windows\system32\taskhostw.exe
Process
56
3456
trustedinstaller.exe
572
trustedinstaller.exe
C:\WINDOWS\servicing\TrustedInstaller.exe
C:\WINDOWS\system32\
c:\windows\servicing\trustedinstaller.exe
Process
57
3836
tiworker.exe
676
tiworker.exe
C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exe -Embedding
C:\WINDOWS\system32\
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\tiworker.exe
Process
58
4672
wmiprvse.exe
676
wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
C:\WINDOWS\system32\
c:\windows\system32\wbem\wmiprvse.exe
WinRegistryKey
interfacE\{b196b287-bab4-101a-b69c-00aa00341d07}
HKEY_CLASSES_ROOT
WinRegistryKey
SYSTEM\CurrentControlSet\Control
HKEY_LOCAL_MACHINE
WinService
Manufacturing
Manufacturing
C:\WINDOWS\system32\Manufacturing.exe -s
SERVICE_DEMAND_START
SERVICE_WIN32_OWN_PROCESS
Properties_Modified_By
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8
INVALID
WinRegistryKey
8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9
INVALID
Mutex
Global\[7746Arbiter
WinRegistryKey
interfacE\{b196b287-bab4-101a-b69c-00aa00341d07}
HKEY_CLASSES_ROOT
WinRegistryKey
SYSTEM\CurrentControlSet\Control
HKEY_LOCAL_MACHINE
WinService
wuauserv
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
Analyzed Sample #1142772
Malware Artifacts
1142772
Sample-ID: #1142772
Job-ID: #3423467
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 10 Redstone 2 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1142772
Submission-ID: #4834644
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288aexe
MD5
2cc4534b0dd0e1c8d5b89644274a10c1
SHA1
735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA256
905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
Opened_By
Metadata of Analysis for Job-ID #3423467
True
Timeout
True
600.063
NQDPDE
win10_64_rs2
x86 64-bit
Windows 10 Redstone 2
10.0.15063.540 (f6f48955-5489-4b24-b4df-942361f0730d)
FD1HVy
NQDPDE
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Hide Tracks
VTI rule match with VTI rule score 2/5
vmray_hide_file_by_file_attr_hidden
Hides the file "C:\Users\FD1HVy\AppData\Roaming\Control" by setting its "hidden" attribute.
Hides files
Hide Tracks
VTI rule match with VTI rule score 2/5
vmray_use_alternate_data_stream
Uses alternate data stream in "c:\users\fd1hvy\appdata\roaming\control:bin".
Uses Alternate Data Stream (ADS) for inter-process communication
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Users\FD1HVy\AppData\Roaming\Control:bin" starts with hidden window.
Creates process with hidden window
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\WINDOWS\system32\vssadmin.exe" starts with hidden window.
Creates process with hidden window
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\WINDOWS\system32\Manufacturing.exe" in the OS directory.
Modifies operating system directory
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\WINDOWS\system32\takeown.exe" starts with hidden window.
Creates process with hidden window
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\WINDOWS\system32\icacls.exe" starts with hidden window.
Creates process with hidden window
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_service_by_api
Installs service "Manufacturing" by CreateServiceW.
Installs system service
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "Global\[7746Arbiter".
Creates mutex
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\WINDOWS\TEMP\lck.log" in the OS directory.
Modifies operating system directory
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_rename_user_files
Renames multiple user files. This is an indicator for an encryption attempt.
Renames user files
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\amd64\BiosBlocks.xml.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\amd64\hwcompat.txt.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\amd64\hwexclude.txt.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\amd64\nxquery.cat.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\amd64\nxquery.inf.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\hwcompatShared.txt.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\i386\BiosBlocks.xml.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\i386\hwcompat.txt.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\i386\hwexclude.txt.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\i386\nxquery.cat.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\i386\nxquery.inf.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\block.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\bluelogo.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\bullet.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\default.css.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\default.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\default_eos.css.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\default_eos.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\default_oobe.css.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\default_oobe.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_ar-sa.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_bg-bg.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_cs-cz.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_da-dk.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_de-de.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_el-gr.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_en-gb.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_en-us.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_es-es.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_es-mx.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_et-ee.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_fi-fi.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_fr-ca.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_fr-fr.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_he-il.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_hr-hr.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_hu-hu.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_it-it.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_ja-jp.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_ko-kr.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_lt-lt.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_lv-lv.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_nb-no.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_nl-nl.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_pl-pl.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_pt-br.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_pt-pt.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_ro-ro.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_ru-ru.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_sk-sk.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_sl-si.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_sr-latn-cs.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_sv-se.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_th-th.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_tr-tr.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_uk-ua.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_zh-cn.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_zh-hk.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\EULA\EULA_zh-tw.htm.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\eula.css.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\GetStarted.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\GetStartedHoverOver.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\loading.gif.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\lock.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\logo.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\marketing.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\css\oobe-desktop.css.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\css\ui-dark.css.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\js\base.js.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\Microsoft.WinJS\js\ui.js.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\NetworkIssueFAQ.mht.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\NoNetworkConnection.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\NoNetworkConnectionHoverOver.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\resources\ux\pass.png.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\upgrader_default.log.garminwasted" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_overwrite_file_in_os_dir
Modifies file "\\?\C:\Windows10Upgrade\upgrader_win10.log.garminwasted" in the OS directory.
Modifies operating system directory
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "cmd" starts with hidden window.
Creates process with hidden window
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\WINDOWS\System32\spp\store\2.0\data.dat" in the OS directory.
Modifies operating system directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_windows_backup_settings
Deletes Windows volume shadow copies.
Modifies Windows automatic backups
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_direct_syscall_api_usage
Makes a direct system call to "NtQuerySystemInformation".
Makes direct system call to possibly evade hooking based sandboxes
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKD.43531595".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "cmtppelyjtipf5ha.exe" as "Gen:Variant.Razy.722206".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "manufacturing.exe" as "Gen:Variant.Razy.722206".
Malicious content was detected by heuristic scan
Execution
VTI rule match with VTI rule score 1/5
vmray_drop_pe_file
Drops file "C:\Users\FD1HVy\AppData\Roaming\Control".
Drops PE file