File name:

VMP.exe

Full analysis: https://app.any.run/tasks/302f23e9-525c-46ee-a4fc-4765bf416950
Verdict: Malicious activity
Analysis date: May 28, 2024, 07:48:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

B884ACB314FA194A47620CD31217055F

SHA1:

C246150713BA938E3B98F11A6607D07AF6649B12

SHA256:

1E192445BE27CD9662FCA63B25F586FA928AE8D6DCE3C2251909F77BA3E78DE8

SSDEEP:

98304:uL1V+MNXnC0CIQf4Wc9eCXFJCnNgRZbr84vxebfRBNgGDtXgJYHXioqa1UG0tzru:Ng5Y0XKP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • VMPe.exe.new (PID: 4284)

    • Drops the executable file immediately after the start

      • VMPe.exe.new (PID: 4284)
      • VMP.exe (PID: 1444)
      • VMP.exe (PID: 1016)
      • VMP.exe (PID: 4484)

    • Actions looks like stealing of personal data

      • VMP.exe (PID: 4484)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • VMP.exe (PID: 1016)
      • VMPe.exe.new (PID: 4284)
      • VMP.exe (PID: 4484)

    • Executable content was dropped or overwritten

      • VMPe.exe.new (PID: 4284)
      • VMP.exe (PID: 1016)
      • VMP.exe (PID: 1444)
      • VMP.exe (PID: 4484)

    • Reads the date of Windows installation

      • VMPe.exe.new (PID: 4284)

    • Starts application with an unusual extension

      • VMP.exe (PID: 1016)

    • Starts itself from another location

      • VMPe.exe.new (PID: 4284)
      • VMP.exe (PID: 1444)

    • Creates a software uninstall entry

      • VMP.exe (PID: 4484)

    • Process drops legitimate windows executable

      • VMP.exe (PID: 4484)

    • Write to the desktop.ini file (may be used to cloak folders)

      • VMP.exe (PID: 4484)

  • INFO

    • Checks supported languages

      • VMPe.exe.new (PID: 4284)
      • VMP.exe (PID: 1444)
      • VMP.exe (PID: 1016)
      • VMP.exe (PID: 4484)

    • Reads the computer name

      • VMPe.exe.new (PID: 4284)
      • VMP.exe (PID: 1444)
      • VMP.exe (PID: 1016)
      • VMP.exe (PID: 4484)

    • Process checks computer location settings

      • VMPe.exe.new (PID: 4284)

    • Creates files or folders in the user directory

      • VMP.exe (PID: 1444)
      • VMP.exe (PID: 4484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:17 02:05:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 3398656
InitializedDataSize: 2068480
UninitializedDataSize: -
EntryPoint: 0x29176c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.163
ProductVersionNumber: 2.0.0.163
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: VMP.ir
FileDescription: VMP
InternalName: VMP
FileVersion: 2.0.0.163
LegalCopyright: (C) 2024-2999 VMP.ir
OriginalFileName: VMP.exe
ProductName: VMP
ProductVersion: 2.0.0.163
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vmp.exe vmpe.exe.new vmp.exe vmp.exe

Process information

PID
CMD
Path
Indicators
Parent process
1016"C:\Users\admin\Desktop\VMP.exe" C:\Users\admin\Desktop\VMP.exe
explorer.exe
User:
admin
Company:
VMP.ir
Integrity Level:
MEDIUM
Description:
VMP
Exit code:
0
Version:
2.0.0.163
Modules
Images
c:\users\admin\desktop\vmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1444"C:\Users\admin\Desktop\VMP.exe" C:\Users\admin\Desktop\VMP.exe
VMPe.exe.new
User:
admin
Company:
VMP.ir
Integrity Level:
MEDIUM
Description:
VMP
Exit code:
0
Version:
2.0.0.225
Modules
Images
c:\users\admin\desktop\vmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
4284VMPe.exe.new -bootstrap "C:\Users\admin\Desktop\VMP.exe"C:\Users\admin\Desktop\VMPe.exe.new
VMP.exe
User:
admin
Company:
VMP.ir
Integrity Level:
MEDIUM
Description:
VMP
Exit code:
0
Version:
2.0.0.225
Modules
Images
c:\users\admin\desktop\vmpe.exe.new
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
4484"C:\Users\admin\AppData\Local\VMP\VMP.exe"C:\Users\admin\AppData\Local\VMP\VMP.exe
VMP.exe
User:
admin
Company:
VMP.ir
Integrity Level:
MEDIUM
Description:
VMP
Version:
2.0.0.225
Modules
Images
c:\users\admin\appdata\local\vmp\vmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
Total events
24 153
Read events
24 133
Write events
20
Delete events
0

Modification events

(PID) Process:(1016) VMP.exeKey:HKEY_CURRENT_USER\SOFTWARE\VMP\VMP
Operation:writeName:Last Run Location
Value:
C:\Users\admin\Desktop\
(PID) Process:(4284) VMPe.exe.newKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4284) VMPe.exe.newKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4284) VMPe.exe.newKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4284) VMPe.exe.newKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1444) VMP.exeKey:HKEY_CURRENT_USER\SOFTWARE\VMP\VMP
Operation:writeName:Last Run Location
Value:
C:\Users\admin\Desktop\
(PID) Process:(4484) VMP.exeKey:HKEY_CURRENT_USER\SOFTWARE\VMP\VMP
Operation:writeName:Last Run Location
Value:
C:\Users\admin\AppData\Local\VMP\VMP.app\
(PID) Process:(4484) VMP.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMP_IR_VMP
Operation:writeName:DisplayName
Value:
VMP
(PID) Process:(4484) VMP.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMP_IR_VMP
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\VMP\VMP.exe,0
(PID) Process:(4484) VMP.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMP_IR_VMP
Operation:writeName:HelpLink
Value:
https://cfx.re/
Executable files
175
Suspicious files
8
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.VisualElementsManifest.xmltext
MD5:7215BF5F561D44FDE7C00BA495720948
SHA256:E392E302B6C63DA6EC916ADF867B5DB3BD9B363CDA0CA969B3E69B43D6E3691E
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.app\CitiLaunch_TLSDummy.dllexecutable
MD5:DD88275202498EECC4B5E3D63C4D0500
SHA256:9018FAB0FBEDEF8BFFE3097A1F54FD9F7A49E928E73E11EF4AC8DE0CAAB7856B
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.app\CitizenFX_SubProcess_game_2189.bin.tmpexecutable
MD5:4857EA337ED9039FC996FDBE4E5247E0
SHA256:4D94D64C2FB16D59A64338F9B51297E968E8488EBC841051FF9533CD34D423E3
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.app\CitizenFX_SubProcess_game_1604.bin.tmpexecutable
MD5:2EFA7E589B21A38ABB0116A3E94273D4
SHA256:C5197F9E48DE0D272C30437C1D7080BC18DF67A5590220BDDF3E56DBF7819FDC
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.app\CitiLaunch_TLSDummy.dll.tmpexecutable
MD5:DD88275202498EECC4B5E3D63C4D0500
SHA256:9018FAB0FBEDEF8BFFE3097A1F54FD9F7A49E928E73E11EF4AC8DE0CAAB7856B
1444VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.exeexecutable
MD5:93DEFD130A2D1120BA367EE1134D4BEA
SHA256:424EF64FFB4335EA5AAAA9249292EC046D1848132E6FCED10EF94533E59DBAD3
1444VMP.exeC:\Users\admin\Desktop\VMP.lnkbinary
MD5:AE0FEE3B897A740CFB047CACC769B07D
SHA256:7E41C0337CF0B43FF507CABCAE8E22FE1759BF29002FC9AE20D2C5B3CA435448
1016VMP.exeC:\Users\admin\Desktop\VMPe.exe.newexecutable
MD5:93DEFD130A2D1120BA367EE1134D4BEA
SHA256:424EF64FFB4335EA5AAAA9249292EC046D1848132E6FCED10EF94533E59DBAD3
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.app\desktop.iniini
MD5:392C4286B61BDF0A8569A627ED044676
SHA256:6A4064071DEB6207EBAD8B7B7259A4A702CAFAC6357405879350C333E1AFE1B1
4484VMP.exeC:\Users\admin\AppData\Local\VMP\VMP.app\CitizenFX_SubProcess_ac.bin.tmpexecutable
MD5:C3825276A035A1FFBFBE22ACB130D4C8
SHA256:361595E306412F2B9B2DD4D6E66ABD605C3B8D7FD43F48208B512250FB80E8E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
38
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5504
svchost.exe
GET
200
2.18.79.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
AT
binary
1.01 Kb
unknown
GET
200
185.208.182.248:443
https://cdn.vmp.ir/updates/heads/fivereborn/production?time=1716882518
IR
text
7 b
unknown
5632
RUXIMICS.exe
GET
200
2.17.245.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
unknown
5504
svchost.exe
GET
200
2.17.245.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
unknown
GET
200
185.208.182.249:443
https://cdn.vmp.ir/updates/42/4e/424ef64ffb4335ea5aaaa9249292ec046d1848132e6fced10ef94533e59dbad3.xz
IR
xz
1.80 Mb
unknown
5632
RUXIMICS.exe
GET
200
2.18.79.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
AT
binary
1.01 Kb
unknown
GET
200
185.208.182.248:443
https://cdn.vmp.ir/updates/heads/fivereborn/production?time=1716882561
IR
text
7 b
unknown
GET
200
2.19.193.8:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
s
21.3 Kb
unknown
GET
200
185.208.182.250:443
https://cdn.vmp.ir/updates/heads/fivereborn/production?time=1716882564
IR
text
7 b
unknown
GET
200
185.208.182.248:443
https://cdn.vmp.ir/updates/bb/93/bb93672c0f60e1b8288a352eb121f22aa24e98b13a53a7e2ac9cf92eb23aa8d7
IR
text
96.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5504
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5632
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
2.18.79.138:80
crl.microsoft.com
Akamai International B.V.
AT
unknown
239.255.255.250:1900
unknown
5504
svchost.exe
2.18.79.138:80
crl.microsoft.com
Akamai International B.V.
AT
unknown
5632
RUXIMICS.exe
2.18.79.138:80
crl.microsoft.com
Akamai International B.V.
AT
unknown
5140
MoUsoCoreWorker.exe
2.17.245.133:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1016
VMP.exe
185.208.182.250:443
cdn.vmp.ir
Asre Pardazeshe Ettelaate Amin Institute
IR
unknown
5632
RUXIMICS.exe
2.17.245.133:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.18.79.138
  • 2.18.79.141
whitelisted
www.microsoft.com
  • 2.17.245.133
whitelisted
cdn.vmp.ir
  • 185.208.182.250
  • 185.208.182.249
  • 185.208.182.248
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.19.193.8
  • 2.19.193.27
  • 2.19.193.10
  • 2.19.193.16
  • 2.19.193.25
  • 2.19.193.9
  • 2.19.193.17
  • 2.19.193.19
  • 2.19.193.32
whitelisted
r.bing.com
  • 2.19.193.19
  • 2.19.193.8
  • 2.19.193.10
  • 2.19.193.9
  • 2.19.193.17
  • 2.19.193.16
  • 2.19.193.32
  • 2.19.193.27
  • 2.19.193.25
whitelisted
self.events.data.microsoft.com
  • 51.116.253.168
whitelisted

Threats

No threats detected
Process
Message
VMP.exe
Dev mode : false
VMP.exe
Dev mode : false
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VMP.exe