Analysis Report

Analysis Information

Creation Time	2016-11-09 16:51 (UTC+1)
VM Analysis Duration Time	00:01:30
Execution Successful
Sample Filename	d8891477315db13a640ed5956a636951.exe
Command Line Parameters
Prescript
Number of Processes	46
Termination Reason	Maximum binlog size reached
Download	Function Logfile Generic Logfile PCAP STIX/CybOX
Remarks	Boot sector was modified VM rebooted

VTI Information

VTI Score 100 / 100
VTI Database Version	2.2
VTI Rule Match Count	1023
VTI Rule Type	Default (PE, ...)

Tags

The tags feature is only available in the fully licensed version of VMRay Analyzer.

Screenshots

Monitored Processes

ID	PID	Monitor Reason	Image Name	Command Line	Origin ID
#1	0x6ec	Analysis Target	d8891477315db13a640ed5956a636951.exe	"C:\Users\hJrD1KOKY DS8lUjv\Desktop\d8891477315db13a640ed5956a636951.exe"
#2	0x7b8	Child Process	esentutl.exe	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	#1
#3	0x744	Child Process	cmd.exe	/d /c taskkill /t /f /im "d8891477315db13a640ed5956a636951.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\hJrD1KOKY DS8lUjv\Desktop\d8891477315db13a640ed5956a636951.exe" > NUL	#1
#4	0x484	Child Process	taskkill.exe	taskkill /t /f /im "d8891477315db13a640ed5956a636951.exe"	#3
#6	0x698	Child Process	vssadmin.exe	"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet	#2
#11	0x82c	Child Process	ping.exe	ping -n 1 127.0.0.1	#3
#12	0x884	Child Process	wmic.exe	"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete	#2
#13	0x8b4	Child Process	bcdedit.exe	"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no	#2
#14	0x8d0	Child Process	bcdedit.exe	"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures	#2
#16	0x4	Kernel Analysis	System
#17	0xd8	Child Process	smss.exe	\SystemRoot\System32\smss.exe	#16
#18	0xf0	Child Process	autochk.exe	\??\C:\Windows\system32\autochk.exe *	#17
#19	0x120	Child Process	smss.exe	\SystemRoot\System32\smss.exe 00000000 0000003c	#17
#20	0x128	Child Process	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16	#19
#21	0x150	Child Process	smss.exe	\SystemRoot\System32\smss.exe 00000001 0000003c	#17
#22	0x158	Child Process	wininit.exe	wininit.exe	#19
#23	0x164	Child Process	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16	#21
#24	0x180	Child Process	winlogon.exe	winlogon.exe	#21
#25	0x1a8	Child Process	services.exe	C:\Windows\system32\services.exe	#22
#26	0x1b8	Child Process	lsass.exe	C:\Windows\system32\lsass.exe	#22
#27	0x1c0	Child Process	lsm.exe	C:\Windows\system32\lsm.exe	#22
#28	0x234	Child Process	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch	#25
#29	0x27c	Child Process	svchost.exe	C:\Windows\system32\svchost.exe -k RPCSS	#25
#30	0x2ac	Child Process	svchost.exe	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted	#25
#31	0x2f4	Child Process	logonui.exe	"LogonUI.exe" /flags:0x0	#24
#32	0x32c	Child Process	svchost.exe	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted	#25
#33	0x358	Child Process	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs	#25
#34	0x394	Child Process	audiodg.exe	C:\Windows\system32\AUDIODG.EXE 0x2bc	#30
#35	0x3e0	Child Process	svchost.exe	C:\Windows\system32\svchost.exe -k LocalService	#25
#36	0x12c	Child Process	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}	#28
#37	0x10c	Child Process	userinit.exe	C:\Windows\system32\userinit.exe	#24
#38	0x200	Child Process	explorer.exe	C:\Windows\Explorer.EXE	#37
#39	0x104	Child Process	dwm.exe	"C:\Windows\system32\Dwm.exe"	#32
#40	0x41c	Child Process	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkService	#25
#41	0x49c	Child Process	esentutl.exe	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	#38
#42	0x4a4	Child Process	runonce.exe	C:\Windows\SysWOW64\runonce.exe /Run6432	#38
#43	0x4ac	Child Process	esentutl.exe	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	#38
#44	0x4b8	Child Process	esentutl.exe	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	#38
#45	0x4f4	Child Process	spoolsv.exe	C:\Windows\System32\spoolsv.exe	#25
#46	0x524	Child Process	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	#28
#47	0x548	Child Process	taskhost.exe	"taskhost.exe"	#25
#48	0x570	Child Process	jusched.exe	"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"	#42
#49	0x580	Child Process	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork	#25
#50	0x600	Child Process	explorer.exe	"C:\Windows\SysWOW64\explorer.exe"	#44
#51	0x608	Child Process	explorer.exe	"C:\Windows\SysWOW64\explorer.exe"	#41
#52	0x664	Child Process	explorer.exe	"C:\Windows\SysWOW64\explorer.exe"	#43

Sample Information

ID	#663085
MD5 Hash Value	d8891477315db13a640ed5956a636951
SHA1 Hash Value	abb3fd6a48b0881f4d01ff468ea81cd81e24e97b
SHA256 Hash Value	ddffb78d1b7dd7831fc074911671fa5e3b9d7b33f10ab3a9933cf563b570f756
Filename	d8891477315db13a640ed5956a636951.exe
File Size	116.50 KB (119296 bytes)
File Type	Windows Exe (x86-32)

Analyzer and Virtual Machine Information

Analyzer Version	1.11.0
Analyzer Build Date	2016-10-24 09:58 (UTC+2)
VM Name	win7_64_sp1
VM Description	Windows 7 (SP1, 64-bit)
VM Architecture	x86 64-bit
VM OS	Windows 7
VM Kernel Version	6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)