MALICIOUS Threat Names: C2/Generic-A

Home , Flock (web browser), Opera Mail, Pocomail, Windows Messaging

DYNAMIC ANALYSIS REPORT #1298037

Classifications: Spyware

Verdict Reason: -

Sample Type Windows Exe (x86-32)

Sample Name Kvfwecxf.OR3.exe

ID #451118

MD5 aa4ac54f3132c970ded1551ef80872d6

SHA1 1d9bd7dac63323412ef02cba15acfa9632406b3d

SHA256 275a1d8d7ae6503b4aac7a8636bcab66e3bfa0bb57215a1e1205107c1e854809

File Size 292.00 KB

Report Created 2021-05-03 09:37 (UTC+2)

Target Environment win7_64_sp1_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 53 DYNAMIC ANALYSIS REPORT #1298037

OVERVIEW

VMRay Threat Identifiers (29 rules, 88 matches)

Score Category Operation Count Classification

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: Flock, Mozilla Firefox, Microsoft Outlook, Opera Mail, Opera, Ipswitch WS_FTP, k-Meleon, Internet Explorer, Postbox, TigerVNC, Pocomail, Internet Download Manager, BlackHawk, Cyberfox, IncrediMail, The Bat!, TightVNC, Comodo IceDragon, FileZilla, WinSCP, Internet Explorer / Edge, CoreFTP, OpenVPN, SeaMonkey, Mozilla Thunderbird, FTP Navigator.

4/5 Defense Evasion Tries to disable antivirus software 2 -

• (Process #21) sc.exe stops a service related to Windows Defender via ControlService (API).

• (Process #2) advancedrun.exe stops a service related to Windows Defender via the sc.exe utility.

4/5 Reputation Contacts known malicious IP address 1 -

• Reputation analysis labels the contacted IP address 208.91.198.143 as "C2/Generic-A".

2/5 Privilege Escalation Enables critical process privilege 2 -

• (Process #2) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege".

• (Process #22) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege".

2/5 Hide Tracks Deletes file after execution 1 -

• (Process #1) kvfwecxf.or3.exe deletes executed executable "c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe".

2/5 Data Collection Reads sensitive browser data 9 -

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Opera" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "BlackHawk" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Flock" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "k-Meleon" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Cyberfox" by file.

• (Process #25) kvfwecxf.or3.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.

2/5 Data Collection Reads sensitive application data 6 -

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TightVNC" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TigerVNC" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "SeaMonkey" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "OpenVPN" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "WinSCP" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "Internet Download Manager" by registry.

2/5 Data Collection Reads sensitive mail data 7 -

X-Ray Vision for Malware - www.vmray.com 2 / 53 DYNAMIC ANALYSIS REPORT #1298037

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Opera Mail" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "IncrediMail" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "The Bat!" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Pocomail" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Postbox" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.

2/5 Data Collection Reads sensitive ftp data 5 -

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by registry.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FTP Navigator" by file.

• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FileZilla" by file.

2/5 Discovery Queries OS version via WMI 1 -

• (Process #25) kvfwecxf.or3.exe queries OS version via WMI.

2/5 Discovery Executes WMI query 2 -

• (Process #25) kvfwecxf.or3.exe executes WMI query: select * from Win32_OperatingSystem.

• (Process #25) kvfwecxf.or3.exe executes WMI query: SELECT * FROM Win32_Processor.

2/5 Discovery Collects hardware properties 1 -

• (Process #25) kvfwecxf.or3.exe queries hardware properties via WMI.

2/5 Anti Analysis Tries to detect virtual machine 1 -

• Multiple processes are possibly trying to detect a VM via rdtsc.

2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -

• (Process #1) kvfwecxf.or3.exe modifies memory of (process #25) kvfwecxf.or3.exe.

2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -

• (Process #1) kvfwecxf.or3.exe alters context of (process #25) kvfwecxf.or3.exe.

1/5 Privilege Escalation Enables process privilege 4 -

• (Process #1) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege".

• (Process #2) advancedrun.exe enables process privilege "SeDebugPrivilege".

• (Process #22) advancedrun.exe enables process privilege "SeDebugPrivilege".

• (Process #25) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege".

1/5 Hide Tracks Creates process with hidden window 6 -

• (Process #1) kvfwecxf.or3.exe starts (process #2) advancedrun.exe with a hidden window.

• (Process #2) advancedrun.exe starts (process #21) sc.exe with a hidden window.

• (Process #1) kvfwecxf.or3.exe starts (process #22) advancedrun.exe with a hidden window.

• (Process #22) advancedrun.exe starts (process #23) powershell.exe with a hidden window.

• (Process #1) kvfwecxf.or3.exe starts (process #25) kvfwecxf.or3.exe with a hidden window.

• (Process #24) wscript.exe starts (process #24) wscript.exe with a hidden window.

1/5 Discovery Enumerates running processes 3 -

X-Ray Vision for Malware - www.vmray.com 3 / 53 DYNAMIC ANALYSIS REPORT #1298037

• (Process #2) advancedrun.exe enumerates running processes.

• (Process #22) advancedrun.exe enumerates running processes.

• (Process #1) kvfwecxf.or3.exe enumerates running processes.

1/5 Mutex Creates mutex 1 -

• (Process #1) kvfwecxf.or3.exe creates mutex with name "Ojimkn".

1/5 Obfuscation Reads from memory of another process 1 -

• (Process #1) kvfwecxf.or3.exe reads from (process #25) kvfwecxf.or3.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) kvfwecxf.or3.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Discovery Possibly does reconnaissance 22 -

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "RealVNC" by registry.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "TightVNC" by registry.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "TigerVNC" by registry.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Foxmail" by registry.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "blackHawk" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Opera Mail" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "SeaMonkey" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "WS_FTP" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "CoreFTP" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "icecat" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "FTP Navigator" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Mozilla Firefox" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "FileZilla" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Flock" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Qualcomm Eudora" by registry.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "k-Meleon" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "The Bat!" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "WinSCP" by registry.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Pocomail" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Cyberfox" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Postbox" by file.

• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Comodo IceDragon" by file.

1/5 Execution Executes itself 1 -

• (Process #1) kvfwecxf.or3.exe executes a copy of the sample at c:\users\keecfmwgj\desktop\kvfwecxf.or3.exe.

1/5 Execution Drops PE file 1 -

• (Process #1) kvfwecxf.or3.exe drops file "C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe".

1/5 Execution Executes dropped PE file 1 -

• Executes dropped file "C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe".

1/5 Network Connection Performs DNS request 2 -

• (Process #1) kvfwecxf.or3.exe resolves host name "launcher.worldofwarcraft.com" to IP "137.221.106.103".

• (Process #25) kvfwecxf.or3.exe resolves host name "smtp.oneoceanmaritimes.com" to IP "208.91.199.225".

1/5 Network Connection Connects to remote host 2 -

X-Ray Vision for Malware - www.vmray.com 4 / 53 DYNAMIC ANALYSIS REPORT #1298037

• (Process #1) kvfwecxf.or3.exe opens an outgoing TCP connection to host "137.221.106.103:80".

• (Process #25) kvfwecxf.or3.exe opens an outgoing TCP connection to host "208.91.199.225:587".

1/5 Network Connection Tries to connect using an uncommon port 1 -

• (Process #25) kvfwecxf.or3.exe tries to connect to TCP port 587 at 208.91.199.225.

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #25) kvfwecxf.or3.exe resolves 31 API functions by name.

- Trusted Known clean file 1 -

• File "C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" is a known clean file.

X-Ray Vision for Malware - www.vmray.com 5 / 53 DYNAMIC ANALYSIS REPORT #1298037

Mitre ATT&CK Matrix

Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control

#T1143 - - - - Hidden ------Window

#T1057 ------Process - - - - - Discovery

#T1089 Disabling ------Security Tools

#T1489 ------Service Stop

#T1045 - - - - Software ------Packing

#T1119 ------Automated - - - Collection

#T1081 - - - - - Credentials ------in Files

#T1083 File and ------Directory Discovery

#T1005 Data ------from Local - - - System

#T1012 ------Query - - - - - Registry

#T1214 - - - - - Credentials ------in Registry

#T1003 - - - - - Credential ------Dumping

#T1047 Windows - Management ------Instrumentati on

#T1082 System ------Information Discovery

#T1497 #T1497 Virtualization Virtualization ------/Sandbox /Sandbox Evasion Evasion

#T1124 ------System Time - - - - - Discovery

#T1065 ------Uncommonly - - Used Port

X-Ray Vision for Malware - www.vmray.com 6 / 53 DYNAMIC ANALYSIS REPORT #1298037

Sample Information

ID 1298037

MD5 aa4ac54f3132c970ded1551ef80872d6

SHA1 1d9bd7dac63323412ef02cba15acfa9632406b3d

SHA256 275a1d8d7ae6503b4aac7a8636bcab66e3bfa0bb57215a1e1205107c1e854809

SSDeep 6144:QztzN0bHx5+OM8lbRmS2Gf6HvqSqezEBQjaiG:QztBmRgIY1GSPqzezjGiG

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

Filename Kvfwecxf.OR3.exe

File Size 292.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-05-03 09:37 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 27

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 7 / 53 DYNAMIC ANALYSIS REPORT #1298037

X-Ray Vision for Malware - www.vmray.com 8 / 53 DYNAMIC ANALYSIS REPORT #1298037

NETWORK

General

1.48 KB total sent

1.49 KB total received

2 ports 80, 587

3 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

3 DNS requests for 2 domains

1 nameservers contacted

0 total requests returned errors

HTTP/S

1 URLs contacted, 1 servers

1 sessions, 215 bytes sent, 638 bytes recivied

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

A launcher.worldofwarcraft.com NoError 137.221.106.103 N/A

208.91.199.225, smtp.oneoceanmaritimes.co 208.91.199.223, A m, NoError us2.smtp.mailhostbox.com N/A 208.91.198.143, us2.smtp.mailhostbox.com 208.91.199.224

208.91.199.225, smtp.oneoceanmaritimes.co 208.91.199.223, N/A m 208.91.198.143, 208.91.199.224

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

http:// GET launcher.worldofwarcraft 0 bytes N/A .com/alert

X-Ray Vision for Malware - www.vmray.com 9 / 53 DYNAMIC ANALYSIS REPORT #1298037

BEHAVIOR

Process Graph

#5 svchost.exe Child Process

#6 svchost.exe Child Process

#7 svchost.exe Child Process

#8 svchost.exe Child Process

#9 svchost.exe Child Process

#10 svchost.exe

Child Process

#11 svchost.exe

Child Process

#3 #12 System spoolsv.exe Created Daemon Child Process

#4 Child Process #13 Created Daemon services.exe taskhost.exe Child Process #2 advancedrun.exe Child Process Child Process #21 #14 Child Process sc.exe svchost.exe

Child Process #22 Child Process #23 #15 advancedrun.exe powershell.exe officeclicktorun.exe Child Process

Child Process #1 Child Process #24 Child Process #26 #16 Sample Start kvfwecxf.or3.exe wscript.exe powershell.exe taskhost.exe Modify Memory

Modify Control Flow Child Process #25 #17 kvfwecxf.or3.exe svchost.exe Child Process

Child Process #18 sppsvc.exe

Child Process #19 wmiapsrv.exe

Child Process #20 trustedinstaller.exe

#29 wmiapsrv.exe

X-Ray Vision for Malware - www.vmray.com 10 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #1: kvfwecxf.or3.exe

ID 1

Filename c:\users\keecfmwgj\desktop\kvfwecxf.or3.exe

Command Line "C:\Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.exe"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 45656, Reason: Analysis Target

Unmonitor End Time End Time: 154413, Reason: Terminated

Monitor Duration 108.76s

Return Code 0

PID 3820

Parent PID 1120

Bitness 32 Bit

Dropped Files (3)

Filename File Size SHA256 YARA Match

C: 275a1d8d7ae6503b4aac7a8636bcab66e3bfa \Users\kEecfMwgj\AppData\Local\Temp\Kvfw 292.00 KB 0bb57215a1e1205107c1e854809 ecxf.OR3.exe

C: 29ae7b30ed8394c509c561f6117ea671ec412 \Users\kEecfMwgj\AppData\Local\Temp\Adva 88.87 KB da50d435099756bbb257fafb10b ncedRun.exe

C: c14774447472f5eec655d2046e6e4930b3bed \Users\kEecfMwgj\AppData\Local\Temp\zRtc 92 bytes 4877de328d4f8a58416b7144db2 eyajbxffti.vbs

Host Behavior

Type Count

Registry 50

Process 107

File 34

- 10

User 1

Module 35

System 130

Environment 4

Mutex 1

- 3

- 7

Network Behavior

Type Count

HTTP 1

DNS 1

TCP 1

X-Ray Vision for Malware - www.vmray.com 11 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #2: advancedrun.exe

ID 2

Filename c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe

"C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop Command Line WinDefend" /StartDirectory "" /RunAs 8 /Run

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 113461, Reason: Child Process

Unmonitor End Time End Time: 127398, Reason: Terminated

Monitor Duration 13.94s

Return Code 0

PID 3916

Parent PID 3820

Bitness 32 Bit

Host Behavior

Type Count

Module 237

System 2

Process 469

User 2

- 28

Environment 1

- 4

X-Ray Vision for Malware - www.vmray.com 12 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #3: System

ID 3

Filename System

Command Line

Initial Working Directory

Monitor Start Time Start Time: 115359, Reason: Created Daemon

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 4

Parent PID 18446744073709551615

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 13 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #4: services.exe

ID 4

Filename c:\windows\system32\services.exe

Command Line C:\Windows\system32\services.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Created Daemon

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 456

Parent PID 368

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 14 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #5: svchost.exe

ID 5

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k DcomLaunch

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 584

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 15 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #6: svchost.exe

ID 6

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k RPCSS

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 652

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 16 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #7: svchost.exe

ID 7

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 704

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 17 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #8: svchost.exe

ID 8

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 808

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 18 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #9: svchost.exe

ID 9

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k netsvcs

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 860

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 19 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #10: svchost.exe

ID 10

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalService

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 1012

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 20 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #11: svchost.exe

ID 11

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k NetworkService

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 648

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 21 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #12: spoolsv.exe

ID 12

Filename c:\windows\system32\spoolsv.exe

Command Line C:\Windows\System32\spoolsv.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 1168

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 22 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #13: taskhost.exe

ID 13

Filename c:\windows\system32\taskhost.exe

Command Line "taskhost.exe"

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 1224

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 23 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #14: svchost.exe

ID 14

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 1248

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 24 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #15: officeclicktorun.exe

ID 15

Filename c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe

Command Line "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 1504

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 25 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #16: taskhost.exe

ID 16

Filename c:\windows\system32\taskhost.exe

Command Line taskhost.exe $(Arg0)

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 212995, Reason: Terminated

Monitor Duration 97.64s

Return Code 0

PID 1396

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 26 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #17: svchost.exe

ID 17

Filename c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 1044

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 27 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #18: sppsvc.exe

ID 18

Filename c:\windows\system32\sppsvc.exe

Command Line C:\Windows\system32\sppsvc.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 175.23s

Return Code Unknown

PID 2076

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 28 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #19: wmiapsrv.exe

ID 19

Filename c:\windows\system32\wbem\wmiapsrv.exe

Command Line C:\Windows\system32\wbem\WmiApSrv.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 115359, Reason: Child Process

Unmonitor End Time End Time: 229366, Reason: Terminated

Monitor Duration 114.01s

Return Code 0

PID 3240

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 29 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #20: trustedinstaller.exe

ID 20

Filename c:\windows\servicing\trustedinstaller.exe

Command Line C:\Windows\servicing\TrustedInstaller.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 116049, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 174.54s

Return Code Unknown

PID 3928

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 30 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #21: sc.exe

ID 21

Filename c:\windows\system32\sc.exe

Command Line "C:\Windows\System32\sc.exe" stop WinDefend

Initial Working Directory C:\Windows\System32\

Monitor Start Time Start Time: 125718, Reason: Child Process

Unmonitor End Time End Time: 128339, Reason: Terminated

Monitor Duration 2.62s

Return Code 1062

PID 3968

Parent PID 3916

Bitness 64 Bit

Host Behavior

Type Count

System 3

Module 1

File 3

- 3

X-Ray Vision for Malware - www.vmray.com 31 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #22: advancedrun.exe

ID 22

Filename c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe

"C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" / Command Line WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 126443, Reason: Child Process

Unmonitor End Time End Time: 130204, Reason: Terminated

Monitor Duration 3.76s

Return Code 0

PID 3996

Parent PID 3820

Bitness 32 Bit

Host Behavior

Type Count

Module 237

System 2

Process 469

User 2

- 28

Environment 1

- 4

X-Ray Vision for Malware - www.vmray.com 32 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #23: powershell.exe

ID 23

Filename c:\windows\system32\windowspowershell\v1.0\powershell.exe

Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse

Initial Working Directory C:\Windows\System32\WindowsPowerShell\v1.0\

Monitor Start Time Start Time: 128734, Reason: Child Process

Unmonitor End Time End Time: 205757, Reason: Terminated

Monitor Duration 77.02s

Return Code 0

PID 4016

Parent PID 3996

Bitness 64 Bit

Host Behavior

Type Count

System 14

Module 4

File 355

Environment 19

Registry 31

- 23

X-Ray Vision for Malware - www.vmray.com 33 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #24: wscript.exe

ID 24

Filename c:\windows\syswow64\wscript.exe

Command Line "C:\Windows\System32\WScript.exe" "C:\Users\kEecfMwgj\AppData\Local\Temp\zRtceyajbxffti.vbs"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 143806, Reason: Child Process

Unmonitor End Time End Time: 156867, Reason: Terminated

Monitor Duration 13.06s

Return Code 0

PID 4068

Parent PID 3820

Bitness 32 Bit

Host Behavior

Type Count

System 15

Module 22

Registry 27

- 1

Window 2

COM 5

File 4

Process 1

X-Ray Vision for Malware - www.vmray.com 34 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #25: kvfwecxf.or3.exe

ID 25

Filename c:\users\keecfmwgj\appdata\local\temp\kvfwecxf.or3.exe

Command Line C:\Users\kEecfMwgj\AppData\Local\Temp\Kvfwecxf.OR3.exe

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 148624, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 141.97s

Return Code Unknown

PID 2860

Parent PID 3820

Bitness 32 Bit

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x400000(4194304) 0x200 1 p\kvfwecxf.or3.exe

#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x402000(4202496) 0x35800 1 p\kvfwecxf.or3.exe

#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x438000(4423680) 0x600 1 p\kvfwecxf.or3.exe

#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x43a000(4431872) 0x200 1 p\kvfwecxf.or3.exe

#1: c: 0x7efde008(213056717 Modify Memory \users\keecfmwgj\deskto 0xef0 0x4 1 6) p\kvfwecxf.or3.exe

#1: c: Modify Control Flow \users\keecfmwgj\deskto 0xef0 / 0xb30 - 1 p\kvfwecxf.or3.exe

Host Behavior

Type Count

Registry 124

File 128

Module 53

Window 6

System 16

User 4

- 30

COM 52

Environment 26

- 2

Mutex 2

X-Ray Vision for Malware - www.vmray.com 35 / 53 DYNAMIC ANALYSIS REPORT #1298037

Network Behavior

Type Count

DNS 2

TCP 1

X-Ray Vision for Malware - www.vmray.com 36 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #26: powershell.exe

ID 26

Filename c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 155341, Reason: Child Process

Unmonitor End Time End Time: 197668, Reason: Terminated

Monitor Duration 42.33s

Return Code 1

PID 2928

Parent PID 4068

Bitness 32 Bit

Host Behavior

Type Count

System 48

Module 4

File 862

Environment 26

Registry 64

- 44

X-Ray Vision for Malware - www.vmray.com 37 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process #29: wmiapsrv.exe

ID 29

Filename c:\windows\system32\wbem\wmiapsrv.exe

Command Line C:\Windows\system32\wbem\WmiApSrv.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 229603, Reason: Child Process

Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout

Monitor Duration 60.99s

Return Code Unknown

PID 2680

Parent PID 456

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 38 / 53 DYNAMIC ANALYSIS REPORT #1298037

ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

C: \Users\kEecfMwgj\Deskt 275a1d8d7ae6503b4aa op\Kvfwecxf.OR3.exe, application/ c7a8636bcab66e3bfa0b C: Sample File 292.00 KB vnd.microsoft.portable- Create, Access, Write MALICIOUS b57215a1e1205107c1e \Users\kEecfMwgj\AppD executable 854809 ata\Local\Temp\Kvfwecx f.OR3.exe

29ae7b30ed8394c509c C: application/ 561f6117ea671ec412da \Users\kEecfMwgj\AppD Create, Access, Write, Dropped File 88.87 KB vnd.microsoft.portable- SUSPICIOUS 50d435099756bbb257fa ata\Local\Temp\Advance Delete executable fb10b dRun.exe

c14774447472f5eec655 C: d2046e6e4930b3bed48 \Users\kEecfMwgj\AppD Dropped File 92 bytes text/plain Create, Access, Write CLEAN 77de328d4f8a58416b71 ata\Local\Temp\zRtceyaj 44db2 bxffti.vbs

Filename

Filename Category Operations Verdict

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access, Read CLEAN 319\Config\machine.config

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config

C: \Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.ex Accessed File Access CLEAN e.config

C: \Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.ex Sample File Access CLEAN e

C: \Users\kEecfMwgj\AppData\Local\Temp\Adva Dropped File Create, Access, Write, Delete CLEAN ncedRun.exe

C: \Users\kEecfMwgj\AppData\Local\Temp\Adva Accessed File Access, Read CLEAN ncedRun.cfg

C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\iexplore.exe

C:\Program Files (x86)\Common Files\yet.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\business.exe

C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\recently.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\force_thousand_come.exe

C:\Program Files\Windows Sidebar\heat- Accessed File Access CLEAN nothing-hotel.exe

C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\to_seem.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN Mail\news_act_figure.exe

C:\Program Files Accessed File Access CLEAN (x86)\MSBuild\millionway.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\take_often_kid.exe

C:\Program Files\Windows NT\game.exe Accessed File Access CLEAN

C:\Program Files\Reference Accessed File Access CLEAN Assemblies\speech kind.exe

X-Ray Vision for Malware - www.vmray.com 39 / 53 DYNAMIC ANALYSIS REPORT #1298037

Filename Category Operations Verdict

C:\Program Files\Internet Accessed File Access CLEAN Explorer\whostrong.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\story-especially.exe

C:\Program Files (x86)\Microsoft Office\sure Accessed File Access CLEAN all.exe

C:\Program Files (x86)\Windows Mail\boy Accessed File Access CLEAN ever.exe

C:\Program Files\MSBuild\toward.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Accessed File Access CLEAN Player\range_citizen.exe

C:\Program Files\Internet Explorer\hear Accessed File Access CLEAN whether former.exe

C:\Program Files\Uninstall Information\but- Accessed File Access CLEAN audience-teacher.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\alftp.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\3dftp.exe

C:\Program Files\Internet Accessed File Access CLEAN Explorer\absolutetelnet.exe

C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\barca.exe

C:\Program Files\Microsoft Office Accessed File Access CLEAN 15\bitkinex.exe

C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\coreftp.exe

C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\far.exe

C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\filezilla.exe

C:\Program Files (x86)\Common Accessed File Access CLEAN Files\flashfxp.exe

C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\fling.exe

C:\Program Files\Windows Accessed File Access CLEAN Mail\foxmailincmail.exe

C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\gmailnotifierpro.exe

C:\Program Files\Windows Journal\icq.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft Accessed File Access CLEAN OneDrive\ncftp.exe

C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\leechftp.exe

C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\notepad.exe

C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\operamail.exe

C:\Program Files (x86)\Common Accessed File Access CLEAN Files\outlook.exe

C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\pidgin.exe

C:\Program Files\Uninstall Accessed File Access CLEAN Information\scriptftp.exe

C:\Program Files Accessed File Access CLEAN (x86)\Microsoft.NET\skype.exe

X-Ray Vision for Malware - www.vmray.com 40 / 53 DYNAMIC ANALYSIS REPORT #1298037

Filename Category Operations Verdict

C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\smartftp.exe

C:\Program Files (x86)\Windows Portable Accessed File Access CLEAN Devices\thunderbird.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\trillian.exe

C:\Program Files\MSBuild\webdrive.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\whatsapp.exe

C:\Program Files\Uninstall Accessed File Access CLEAN Information\winscp.exe

C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\yahoomessenger.exe

C:\Program Files (x86)\Windows NT\active- Accessed File Access CLEAN charge.exe

C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\accupos.exe

C:\Program Files\MSBuild\afr38.exe Accessed File Access CLEAN

C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\aldelo.exe

C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\ccv_server.exe

C:\Program Files\Windows Accessed File Access CLEAN Mail\centralcreditcard.exe

C:\Program Files\Internet Accessed File Access CLEAN Explorer\creditservice.exe

C:\Program Files\Reference Accessed File Access CLEAN Assemblies\edcsvr.exe

C:\Program Files\Windows Mail\fpos.exe Accessed File Access CLEAN

C:\Program Files\DVD Maker\isspos.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\mxslipstream.exe

C:\Program Files\Windows Mail\omnipos.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Accessed File Access CLEAN Mail\spcwin.exe

C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\spgagentservice.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\utg2.exe

C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\help_against_deep.exe

C:\Program Files\Uninstall Accessed File Access CLEAN Information\blood_book_until.exe

C:\Program Files\Windows Mail\picture.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Sidebar\until Accessed File Access CLEAN choose physical.exe

C: \Users\kEecfMwgj\AppData\Local\Temp\zRtc Dropped File Create, Access, Write CLEAN eyajbxffti.vbs

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe

C: \Users\kEecfMwgj\AppData\Local\Temp\Kvfw Sample File Create, Access, Write CLEAN ecxf.OR3.exe

X-Ray Vision for Malware - www.vmray.com 41 / 53 DYNAMIC ANALYSIS REPORT #1298037

Filename Category Operations Verdict

C:\Windows\SysWOW64\WScript.exe Accessed File Access CLEAN

C: \Users\kEecfMwgj\AppData\Local\Temp\Kvfw Accessed File Access CLEAN ecxf.OR3.exe.config

C: \Windows\SysWOW64\WindowsPowerShell\v Accessed File Access CLEAN 1.0\powershell.exe

C:\Users\kEecfMwgj\Desktop\ %SystemRoot% Accessed File Access CLEAN \system32\WindowsPowerShell\v1.0\

C:\Windows\system32 Accessed File Access CLEAN

C:\Windows Accessed File Access CLEAN

C:\Windows\System32\Wbem Accessed File Access CLEAN

C: \Windows\System32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\

C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\Modules

C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psd1

C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psm1

C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN cdxml

C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN xaml

C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN ni.dll

C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN dll

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access, Read CLEAN Management\1.0.0.1\PackageManagement.p sd1

C: \Users\kEecfMwgj\AppData\Local\Microsoft\ Accessed File Access CLEAN Windows\PowerShell\ModuleAnalysisCache

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psd1

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psm1

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.cdxml

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.xaml

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.ni.dll

X-Ray Vision for Malware - www.vmray.com 42 / 53 DYNAMIC ANALYSIS REPORT #1298037

Filename Category Operations Verdict

C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.dll

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PowerShellGet.psd1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en-US\PowerShellGet.psd1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en\PowerShellGet.psd1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PSModule.psm1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Format.ps1xml

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Resource.psd1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGetModuleInfo.xml

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psd1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psm1

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.cdxml

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.xaml

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.ni.dll

C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.dll

C: \Users\kEecfMwgj\Documents\WindowsPowe Accessed File Access CLEAN rShell\Modules

C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\Modules

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psm1

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN cdxml

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN xaml

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN ni.dll

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN dll

X-Ray Vision for Malware - www.vmray.com 43 / 53 DYNAMIC ANALYSIS REPORT #1298037

Filename Category Operations Verdict

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access, Read CLEAN Management\1.0.0.1\PackageManagement.p sd1

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psm1

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.cdxml

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.xaml

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.ni.dll

C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.dll

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PowerShellGet.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en-US\PowerShellGet.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en\PowerShellGet.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PSModule.psm1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Format.ps1xml

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Resource.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGetModuleInfo.xml

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psm1

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.cdxml

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.xaml

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.ni.dll

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.dll

X-Ray Vision for Malware - www.vmray.com 44 / 53 DYNAMIC ANALYSIS REPORT #1298037

Filename Category Operations Verdict

C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules

C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.psd1

C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.psm1

C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.cdxml

C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.xaml

C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.ni.dll Reduced dataset

URL

URL Category IP Address Country HTTP Methods Verdict

http:// launcher.worldofwarcraft.com 137.221.106.103 GET CLEAN /alert

Domain

Domain IP Address Country Protocols Verdict

launcher.worldofwarcraft.com 137.221.106.103 DNS, HTTP CLEAN

208.91.199.224, 208.91.199.223, smtp.oneoceanmaritimes.com DNS CLEAN 208.91.198.143, 208.91.199.225

208.91.199.224, 208.91.198.143, us2.smtp.mailhostbox.com DNS CLEAN 208.91.199.223, 208.91.199.225

IP Address Domains Country Protocols Verdict

smtp.oneoceanmaritimes.com, 208.91.198.143 United States DNS MALICIOUS us2.smtp.mailhostbox.com

192.168.0.1 - DNS, UDP CLEAN

137.221.106.103 launcher.worldofwarcraft.com United Kingdom DNS, TCP, HTTP CLEAN

smtp.oneoceanmaritimes.com, 208.91.199.225 United States DNS, TCP CLEAN us2.smtp.mailhostbox.com

smtp.oneoceanmaritimes.com, 208.91.199.223 United States DNS CLEAN us2.smtp.mailhostbox.com

smtp.oneoceanmaritimes.com, 208.91.199.224 United States DNS CLEAN us2.smtp.mailhostbox.com

Email Address

X-Ray Vision for Malware - www.vmray.com 45 / 53 DYNAMIC ANALYSIS REPORT #1298037

Mutex

Name Operations Parent Process Name Verdict

Ojimkn access kvfwecxf.or3.exe CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access powershell.exe, kvfwecxf.or3.exe CLEAN osoft\.NETFramework\AppContext

HKEY_LOCAL_MACHINE access powershell.exe, kvfwecxf.or3.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft access kvfwecxf.or3.exe CLEAN \Windows NT\CurrentVersion

HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \Windows NT\CurrentVersion\InstallationType

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access kvfwecxf.or3.exe CLEAN osoft\.NETFramework\v4.0.30319

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR access, read kvfwecxf.or3.exe CLEAN euseOnSocketBind

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.UseHttpPipeliningAnd BufferPooling

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseHttpPip access, read kvfwecxf.or3.exe CLEAN eliningAndBufferPooling

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.UseSafeSynchronous Close

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseSafeSy access, read kvfwecxf.or3.exe CLEAN nchronousClose

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.UseStrictRfcInterimRe sponseHandling

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseStrictRf access, read kvfwecxf.or3.exe CLEAN cInterimResponseHandling

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access kvfwecxf.or3.exe CLEAN .AllowDangerousUnicodeDecompositions

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\AllowDang access, read kvfwecxf.or3.exe CLEAN erousUnicodeDecompositions

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access kvfwecxf.or3.exe CLEAN .UseStrictIPv6AddressParsing

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseStrictIP access, read kvfwecxf.or3.exe CLEAN v6AddressParsing

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access kvfwecxf.or3.exe CLEAN .AllowAllUriEncodingExpansion

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\AllowAllUri access, read kvfwecxf.or3.exe CLEAN EncodingExpansion

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr access, read kvfwecxf.or3.exe CLEAN ongCrypto

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.SchSendAuxRecord

X-Ray Vision for Malware - www.vmray.com 46 / 53 DYNAMIC ANALYSIS REPORT #1298037

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchSendA access, read kvfwecxf.or3.exe CLEAN uxRecord

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SystemDef access, read kvfwecxf.or3.exe CLEAN aultTlsVersions

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.RequireCertificateEK Us

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\RequireCe access, read kvfwecxf.or3.exe CLEAN rtificateEKUs

HKEY_CURRENT_USER access kvfwecxf.or3.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access kvfwecxf.or3.exe CLEAN Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access kvfwecxf.or3.exe CLEAN Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access kvfwecxf.or3.exe CLEAN t Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access kvfwecxf.or3.exe CLEAN osoft\.NETFramework

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access, read kvfwecxf.or3.exe CLEAN osoft\.NETFramework\LegacyWPADSupport

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\TZI

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\MUI_Display

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\MUI_Std

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt

HKEY_CURRENT_USER\Software\Microsoft create, access wscript.exe CLEAN \Windows Script Host\Settings

HKEY_LOCAL_MACHINE\Software\Microsoft create, access wscript.exe CLEAN \Windows Script Host\Settings

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\IgnoreUserSettings

HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Enabled

HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Enabled

HKEY_CURRENT_USER\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\LogSecuritySuccesses

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\LogSecuritySuccesses

X-Ray Vision for Malware - www.vmray.com 47 / 53 DYNAMIC ANALYSIS REPORT #1298037

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\TrustPolicy

HKEY_CURRENT_USER\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\UseWINSAFER

HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\TrustPolicy

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\UseWINSAFER

HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Timeout

HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\DisplayLogo

HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Timeout

HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\DisplayLogo

HKEY_CLASSES_ROOT\.vbs access, read wscript.exe CLEAN

HKEY_CLASSES_ROOT\VBSFile\ScriptEngi access, read wscript.exe CLEAN ne

HKEY_PERFORMANCE_DATA access powershell.exe, kvfwecxf.or3.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft access kvfwecxf.or3.exe CLEAN \.NETFramework

HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin access, read kvfwecxf.or3.exe CLEAN g

HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \.NETFramework\DbgManagedDebugger

HKEY_LOCAL_MACHINE\Software\Microsoft access kvfwecxf.or3.exe CLEAN \Wbem\Scripting

HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \Wbem\Scripting\Default Impersonation Level

HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \Wbem\Scripting\Default Namespace

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\WMIDisabl access, read kvfwecxf.or3.exe CLEAN eCOMSecurity

HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\Windows\PowerShell\ScriptBlockLo access powershell.exe CLEAN gging

HKEY_CURRENT_USER\Software\Policies\ Microsoft\Windows\PowerShell\ScriptBlockLo access powershell.exe CLEAN gging

HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Control\Session access powershell.exe CLEAN Manager\Environment

HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Control\Session access, read powershell.exe CLEAN Manager\Environment\__PSLockdownPolicy

HKEY_LOCAL_MACHINE\Software\Microsoft access powershell.exe CLEAN \PowerShell\3\PowerShellEngine

HKEY_LOCAL_MACHINE\Software\Microsoft \PowerShell\3\PowerShellEngine\Application access, read powershell.exe CLEAN Base

HKEY_LOCAL_MACHINE\SOFTWARE\Wow access kvfwecxf.or3.exe CLEAN 6432Node\RealVNC\WinVNC4

HKEY_CURRENT_USER\SOFTWARE\Wow access kvfwecxf.or3.exe CLEAN 6432Node\RealVNC\WinVNC4

X-Ray Vision for Malware - www.vmray.com 48 / 53 DYNAMIC ANALYSIS REPORT #1298037

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\vncserver

HKEY_CURRENT_USER\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\vncserver

HKEY_LOCAL_MACHINE\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\WinVNC4

HKEY_CURRENT_USER\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\WinVNC4

HKEY_LOCAL_MACHINE\Software\ORL\Win access kvfwecxf.or3.exe CLEAN VNC3

HKEY_CURRENT_USER\Software\ORL\Win access kvfwecxf.or3.exe CLEAN VNC3

HKEY_LOCAL_MACHINE\Software\TightVN access kvfwecxf.or3.exe CLEAN C\Server

HKEY_CURRENT_USER\Software\TightVNC access kvfwecxf.or3.exe CLEAN \Server

HKEY_LOCAL_MACHINE\Software\TigerVN access kvfwecxf.or3.exe CLEAN C\Server

HKEY_CURRENT_USER\Software\TigerVN access kvfwecxf.or3.exe CLEAN C\Server

HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access kvfwecxf.or3.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access kvfwecxf.or3.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email

X-Ray Vision for Malware - www.vmray.com 49 / 53 DYNAMIC ANALYSIS REPORT #1298037

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password

HKEY_CURRENT_USER\Software\Aerofox\ access kvfwecxf.or3.exe CLEAN FoxmailPreview

HKEY_CURRENT_USER\Software\Aerofox\ access kvfwecxf.or3.exe CLEAN Foxmail\V3.1

HKEY_CURRENT_USER\Software\OpenVP access kvfwecxf.or3.exe CLEAN N-GUI\configs

HKEY_CURRENT_USER\Software\IncrediM access kvfwecxf.or3.exe CLEAN ail\Identities

HKEY_CURRENT_USER\Software\FTPWare access, read kvfwecxf.or3.exe CLEAN \COREFTP\Sites\Host

HKEY_CURRENT_USER\Software\RimArts\ access kvfwecxf.or3.exe CLEAN B2\Settings

HKEY_CURRENT_USER\Software\Qualcom access kvfwecxf.or3.exe CLEAN m\Eudora\CommandLine

HKEY_CURRENT_USER\SOFTWARE\Marti access kvfwecxf.or3.exe CLEAN n Prikryl\WinSCP 2\Sessions

HKEY_CURRENT_USER\Software\Downloa access kvfwecxf.or3.exe CLEAN dManager\Passwords

X-Ray Vision for Malware - www.vmray.com 50 / 53 DYNAMIC ANALYSIS REPORT #1298037

Process

Process Name Commandline Verdict

"C: \Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" / advancedrun.exe EXEFilename "C:\Windows\System32\sc.exe" /WindowState MALICIOUS 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run

kvfwecxf.or3.exe "C:\Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.exe" SUSPICIOUS

sc.exe "C:\Windows\System32\sc.exe" stop WinDefend SUSPICIOUS

"C: \Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" / EXEFilename "C: advancedrun.exe \Windows\System32\WindowsPowerShell\v1.0\powershell.exe SUSPICIOUS " /WindowState 0 /CommandLine "rmdir 'C: \ProgramData\Microsoft\Windows Defender' -Recurse" / StartDirectory "" /RunAs 8 /Run

kvfwecxf.or3.exe C:\Users\kEecfMwgj\AppData\Local\Temp\Kvfwecxf.OR3.exe SUSPICIOUS

System CLEAN

services.exe C:\Windows\system32\services.exe CLEAN

svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch CLEAN

svchost.exe C:\Windows\system32\svchost.exe -k RPCSS CLEAN

C:\Windows\System32\svchost.exe -k svchost.exe CLEAN LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k svchost.exe CLEAN LocalSystemNetworkRestricted

svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN

svchost.exe C:\Windows\system32\svchost.exe -k LocalService CLEAN

svchost.exe C:\Windows\system32\svchost.exe -k NetworkService CLEAN

spoolsv.exe C:\Windows\System32\spoolsv.exe CLEAN

taskhost.exe "taskhost.exe" CLEAN

svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork CLEAN

"C:\Program Files\Common Files\Microsoft officeclicktorun.exe CLEAN Shared\ClickToRun\OfficeClickToRun.exe" /service

taskhost.exe taskhost.exe $(Arg0) CLEAN

C:\Windows\system32\svchost.exe -k svchost.exe CLEAN LocalServiceAndNoImpersonation

sppsvc.exe C:\Windows\system32\sppsvc.exe CLEAN

wmiapsrv.exe C:\Windows\system32\wbem\WmiApSrv.exe CLEAN

trustedinstaller.exe C:\Windows\servicing\TrustedInstaller.exe CLEAN

"C: \Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe CLEAN " rmdir 'C:\ProgramData\Microsoft\Windows Defender' - Recurse

"C:\Windows\System32\WScript.exe" "C: wscript.exe CLEAN \Users\kEecfMwgj\AppData\Local\Temp\zRtceyajbxffti.vbs"

"C: powershell.exe \Windows\System32\WindowsPowerShell\v1.0\powershell.exe CLEAN " Add-MpPreference -ExclusionPath C:\

X-Ray Vision for Malware - www.vmray.com 51 / 53 DYNAMIC ANALYSIS REPORT #1298037

YARA / AV

No YARA or AV matches available.

X-Ray Vision for Malware - www.vmray.com 52 / 53 DYNAMIC ANALYSIS REPORT #1298037

ENVIRONMENT

Virtual Machine Information

Name win7_64_sp1_en_mso2016

Description win7_64_sp1_en_mso2016

Architecture x86 64-bit

Operating System Windows 7

Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database Update 2021-05-03 03:30:35+00:00 Release Date

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 8.0.7601.17514

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 53 / 53