DYNAMIC ANALYSIS REPORT #1298037
Classifications: Spyware
MALICIOUS Threat Names: C2/Generic-A
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name Kvfwecxf.OR3.exe
ID #451118
MD5 aa4ac54f3132c970ded1551ef80872d6
SHA1 1d9bd7dac63323412ef02cba15acfa9632406b3d
SHA256 275a1d8d7ae6503b4aac7a8636bcab66e3bfa0bb57215a1e1205107c1e854809
File Size 292.00 KB
Report Created 2021-05-03 09:37 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 53 DYNAMIC ANALYSIS REPORT #1298037
OVERVIEW
VMRay Threat Identifiers (29 rules, 88 matches)
Score Category Operation Count Classification
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Flock, Mozilla Firefox, Microsoft Outlook, Opera Mail, Opera, Ipswitch WS_FTP, k-Meleon, Internet Explorer, Postbox, TigerVNC, Pocomail, Internet Download Manager, BlackHawk, Cyberfox, IncrediMail, The Bat!, TightVNC, Comodo IceDragon, FileZilla, WinSCP, Internet Explorer / Edge, CoreFTP, OpenVPN, SeaMonkey, Mozilla Thunderbird, FTP Navigator.
4/5 Defense Evasion Tries to disable antivirus software 2 -
• (Process #21) sc.exe stops a service related to Windows Defender via ControlService (API).
• (Process #2) advancedrun.exe stops a service related to Windows Defender via the sc.exe utility.
4/5 Reputation Contacts known malicious IP address 1 -
• Reputation analysis labels the contacted IP address 208.91.198.143 as "C2/Generic-A".
2/5 Privilege Escalation Enables critical process privilege 2 -
• (Process #2) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege".
• (Process #22) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege".
2/5 Hide Tracks Deletes file after execution 1 -
• (Process #1) kvfwecxf.or3.exe deletes executed executable "c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe".
2/5 Data Collection Reads sensitive browser data 9 -
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "BlackHawk" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Flock" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "k-Meleon" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Cyberfox" by file.
• (Process #25) kvfwecxf.or3.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.
2/5 Data Collection Reads sensitive application data 6 -
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TightVNC" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TigerVNC" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "SeaMonkey" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "OpenVPN" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "WinSCP" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "Internet Download Manager" by registry.
2/5 Data Collection Reads sensitive mail data 7 -
X-Ray Vision for Malware - www.vmray.com 2 / 53 DYNAMIC ANALYSIS REPORT #1298037
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "The Bat!" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Postbox" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.
2/5 Data Collection Reads sensitive ftp data 5 -
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by registry.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
• (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FileZilla" by file.
2/5 Discovery Queries OS version via WMI 1 -
• (Process #25) kvfwecxf.or3.exe queries OS version via WMI.
2/5 Discovery Executes WMI query 2 -
• (Process #25) kvfwecxf.or3.exe executes WMI query: select * from Win32_OperatingSystem.
• (Process #25) kvfwecxf.or3.exe executes WMI query: SELECT * FROM Win32_Processor.
2/5 Discovery Collects hardware properties 1 -
• (Process #25) kvfwecxf.or3.exe queries hardware properties via WMI.
2/5 Anti Analysis Tries to detect virtual machine 1 -
• Multiple processes are possibly trying to detect a VM via rdtsc.
2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -
• (Process #1) kvfwecxf.or3.exe modifies memory of (process #25) kvfwecxf.or3.exe.
2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -
• (Process #1) kvfwecxf.or3.exe alters context of (process #25) kvfwecxf.or3.exe.
1/5 Privilege Escalation Enables process privilege 4 -
• (Process #1) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege".
• (Process #2) advancedrun.exe enables process privilege "SeDebugPrivilege".
• (Process #22) advancedrun.exe enables process privilege "SeDebugPrivilege".
• (Process #25) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege".
1/5 Hide Tracks Creates process with hidden window 6 -
• (Process #1) kvfwecxf.or3.exe starts (process #2) advancedrun.exe with a hidden window.
• (Process #2) advancedrun.exe starts (process #21) sc.exe with a hidden window.
• (Process #1) kvfwecxf.or3.exe starts (process #22) advancedrun.exe with a hidden window.
• (Process #22) advancedrun.exe starts (process #23) powershell.exe with a hidden window.
• (Process #1) kvfwecxf.or3.exe starts (process #25) kvfwecxf.or3.exe with a hidden window.
• (Process #24) wscript.exe starts (process #24) wscript.exe with a hidden window.
1/5 Discovery Enumerates running processes 3 -
X-Ray Vision for Malware - www.vmray.com 3 / 53 DYNAMIC ANALYSIS REPORT #1298037
• (Process #2) advancedrun.exe enumerates running processes.
• (Process #22) advancedrun.exe enumerates running processes.
• (Process #1) kvfwecxf.or3.exe enumerates running processes.
1/5 Mutex Creates mutex 1 -
• (Process #1) kvfwecxf.or3.exe creates mutex with name "Ojimkn".
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) kvfwecxf.or3.exe reads from (process #25) kvfwecxf.or3.exe.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) kvfwecxf.or3.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Discovery Possibly does reconnaissance 22 -
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "RealVNC" by registry.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "TightVNC" by registry.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "TigerVNC" by registry.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Foxmail" by registry.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "blackHawk" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Opera Mail" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "SeaMonkey" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "WS_FTP" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "CoreFTP" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "icecat" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "FTP Navigator" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "FileZilla" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Flock" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Qualcomm Eudora" by registry.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "k-Meleon" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "The Bat!" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "WinSCP" by registry.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Pocomail" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Cyberfox" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Postbox" by file.
• (Process #25) kvfwecxf.or3.exe tries to gather information about application "Comodo IceDragon" by file.
1/5 Execution Executes itself 1 -
• (Process #1) kvfwecxf.or3.exe executes a copy of the sample at c:\users\keecfmwgj\desktop\kvfwecxf.or3.exe.
1/5 Execution Drops PE file 1 -
• (Process #1) kvfwecxf.or3.exe drops file "C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe".
1/5 Execution Executes dropped PE file 1 -
• Executes dropped file "C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe".
1/5 Network Connection Performs DNS request 2 -
• (Process #1) kvfwecxf.or3.exe resolves host name "launcher.worldofwarcraft.com" to IP "137.221.106.103".
• (Process #25) kvfwecxf.or3.exe resolves host name "smtp.oneoceanmaritimes.com" to IP "208.91.199.225".
1/5 Network Connection Connects to remote host 2 -
X-Ray Vision for Malware - www.vmray.com 4 / 53 DYNAMIC ANALYSIS REPORT #1298037
• (Process #1) kvfwecxf.or3.exe opens an outgoing TCP connection to host "137.221.106.103:80".
• (Process #25) kvfwecxf.or3.exe opens an outgoing TCP connection to host "208.91.199.225:587".
1/5 Network Connection Tries to connect using an uncommon port 1 -
• (Process #25) kvfwecxf.or3.exe tries to connect to TCP port 587 at 208.91.199.225.
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #25) kvfwecxf.or3.exe resolves 31 API functions by name.
- Trusted Known clean file 1 -
• File "C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" is a known clean file.
X-Ray Vision for Malware - www.vmray.com 5 / 53 DYNAMIC ANALYSIS REPORT #1298037
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1143 - - - - Hidden ------Window
#T1057 ------Process - - - - - Discovery
#T1089 Disabling ------Security Tools
#T1489 ------Service Stop
#T1045 - - - - Software ------Packing
#T1119 ------Automated - - - Collection
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1005 Data ------from Local - - - System
#T1012 ------Query - - - - - Registry
#T1214 - - - - - Credentials ------in Registry
#T1003 - - - - - Credential ------Dumping
#T1047 Windows - Management ------Instrumentati on
#T1082 System ------Information Discovery
#T1497 #T1497 Virtualization Virtualization ------/Sandbox /Sandbox Evasion Evasion
#T1124 ------System Time - - - - - Discovery
#T1065 ------Uncommonly - - Used Port
X-Ray Vision for Malware - www.vmray.com 6 / 53 DYNAMIC ANALYSIS REPORT #1298037
Sample Information
ID 1298037
MD5 aa4ac54f3132c970ded1551ef80872d6
SHA1 1d9bd7dac63323412ef02cba15acfa9632406b3d
SHA256 275a1d8d7ae6503b4aac7a8636bcab66e3bfa0bb57215a1e1205107c1e854809
SSDeep 6144:QztzN0bHx5+OM8lbRmS2Gf6HvqSqezEBQjaiG:QztBmRgIY1GSPqzezjGiG
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
Filename Kvfwecxf.OR3.exe
File Size 292.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-05-03 09:37 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 27
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 0
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 7 / 53 DYNAMIC ANALYSIS REPORT #1298037
X-Ray Vision for Malware - www.vmray.com 8 / 53 DYNAMIC ANALYSIS REPORT #1298037
NETWORK
General
1.48 KB total sent
1.49 KB total received
2 ports 80, 587
3 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
3 DNS requests for 2 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
1 URLs contacted, 1 servers
1 sessions, 215 bytes sent, 638 bytes recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
A launcher.worldofwarcraft.com NoError 137.221.106.103 N/A
208.91.199.225, smtp.oneoceanmaritimes.co 208.91.199.223, A m, NoError us2.smtp.mailhostbox.com N/A 208.91.198.143, us2.smtp.mailhostbox.com 208.91.199.224
208.91.199.225, smtp.oneoceanmaritimes.co 208.91.199.223, N/A m 208.91.198.143, 208.91.199.224
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http:// GET launcher.worldofwarcraft 0 bytes N/A .com/alert
X-Ray Vision for Malware - www.vmray.com 9 / 53 DYNAMIC ANALYSIS REPORT #1298037
BEHAVIOR
Process Graph
#5 svchost.exe Child Process
#6 svchost.exe Child Process
#7 svchost.exe Child Process
#8 svchost.exe Child Process
#9 svchost.exe Child Process
#10 svchost.exe
Child Process
#11 svchost.exe
Child Process
#3 #12 System spoolsv.exe Created Daemon Child Process
#4 Child Process #13 Created Daemon services.exe taskhost.exe Child Process #2 advancedrun.exe Child Process Child Process #21 #14 Child Process sc.exe svchost.exe
Child Process #22 Child Process #23 #15 advancedrun.exe powershell.exe officeclicktorun.exe Child Process
Child Process #1 Child Process #24 Child Process #26 #16 Sample Start kvfwecxf.or3.exe wscript.exe powershell.exe taskhost.exe Modify Memory
Modify Control Flow Child Process #25 #17 kvfwecxf.or3.exe svchost.exe Child Process
Child Process #18 sppsvc.exe
Child Process #19 wmiapsrv.exe
Child Process #20 trustedinstaller.exe
#29 wmiapsrv.exe
X-Ray Vision for Malware - www.vmray.com 10 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #1: kvfwecxf.or3.exe
ID 1
Filename c:\users\keecfmwgj\desktop\kvfwecxf.or3.exe
Command Line "C:\Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 45656, Reason: Analysis Target
Unmonitor End Time End Time: 154413, Reason: Terminated
Monitor Duration 108.76s
Return Code 0
PID 3820
Parent PID 1120
Bitness 32 Bit
Dropped Files (3)
Filename File Size SHA256 YARA Match
C: 275a1d8d7ae6503b4aac7a8636bcab66e3bfa \Users\kEecfMwgj\AppData\Local\Temp\Kvfw 292.00 KB 0bb57215a1e1205107c1e854809 ecxf.OR3.exe
C: 29ae7b30ed8394c509c561f6117ea671ec412 \Users\kEecfMwgj\AppData\Local\Temp\Adva 88.87 KB da50d435099756bbb257fafb10b ncedRun.exe
C: c14774447472f5eec655d2046e6e4930b3bed \Users\kEecfMwgj\AppData\Local\Temp\zRtc 92 bytes 4877de328d4f8a58416b7144db2 eyajbxffti.vbs
Host Behavior
Type Count
Registry 50
Process 107
File 34
- 10
User 1
Module 35
System 130
Environment 4
Mutex 1
- 3
- 7
Network Behavior
Type Count
HTTP 1
DNS 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 11 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #2: advancedrun.exe
ID 2
Filename c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe
"C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop Command Line WinDefend" /StartDirectory "" /RunAs 8 /Run
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 113461, Reason: Child Process
Unmonitor End Time End Time: 127398, Reason: Terminated
Monitor Duration 13.94s
Return Code 0
PID 3916
Parent PID 3820
Bitness 32 Bit
Host Behavior
Type Count
Module 237
System 2
Process 469
User 2
- 28
Environment 1
- 4
X-Ray Vision for Malware - www.vmray.com 12 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #3: System
ID 3
Filename System
Command Line
Initial Working Directory
Monitor Start Time Start Time: 115359, Reason: Created Daemon
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 4
Parent PID 18446744073709551615
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 13 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #4: services.exe
ID 4
Filename c:\windows\system32\services.exe
Command Line C:\Windows\system32\services.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Created Daemon
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 456
Parent PID 368
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 14 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #5: svchost.exe
ID 5
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k DcomLaunch
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 584
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 15 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #6: svchost.exe
ID 6
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k RPCSS
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 652
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 16 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #7: svchost.exe
ID 7
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 704
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 17 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #8: svchost.exe
ID 8
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 808
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 18 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #9: svchost.exe
ID 9
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 860
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 19 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #10: svchost.exe
ID 10
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 1012
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 20 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #11: svchost.exe
ID 11
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k NetworkService
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 648
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 21 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #12: spoolsv.exe
ID 12
Filename c:\windows\system32\spoolsv.exe
Command Line C:\Windows\System32\spoolsv.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 1168
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 22 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #13: taskhost.exe
ID 13
Filename c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 1224
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 23 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #14: svchost.exe
ID 14
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 1248
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 24 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #15: officeclicktorun.exe
ID 15
Filename c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
Command Line "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 1504
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 25 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #16: taskhost.exe
ID 16
Filename c:\windows\system32\taskhost.exe
Command Line taskhost.exe $(Arg0)
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 212995, Reason: Terminated
Monitor Duration 97.64s
Return Code 0
PID 1396
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 26 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #17: svchost.exe
ID 17
Filename c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 1044
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 27 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #18: sppsvc.exe
ID 18
Filename c:\windows\system32\sppsvc.exe
Command Line C:\Windows\system32\sppsvc.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 175.23s
Return Code Unknown
PID 2076
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 28 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #19: wmiapsrv.exe
ID 19
Filename c:\windows\system32\wbem\wmiapsrv.exe
Command Line C:\Windows\system32\wbem\WmiApSrv.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 115359, Reason: Child Process
Unmonitor End Time End Time: 229366, Reason: Terminated
Monitor Duration 114.01s
Return Code 0
PID 3240
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 29 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #20: trustedinstaller.exe
ID 20
Filename c:\windows\servicing\trustedinstaller.exe
Command Line C:\Windows\servicing\TrustedInstaller.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 116049, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 174.54s
Return Code Unknown
PID 3928
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 30 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #21: sc.exe
ID 21
Filename c:\windows\system32\sc.exe
Command Line "C:\Windows\System32\sc.exe" stop WinDefend
Initial Working Directory C:\Windows\System32\
Monitor Start Time Start Time: 125718, Reason: Child Process
Unmonitor End Time End Time: 128339, Reason: Terminated
Monitor Duration 2.62s
Return Code 1062
PID 3968
Parent PID 3916
Bitness 64 Bit
Host Behavior
Type Count
System 3
Module 1
File 3
- 3
X-Ray Vision for Malware - www.vmray.com 31 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #22: advancedrun.exe
ID 22
Filename c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe
"C:\Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" / Command Line WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 126443, Reason: Child Process
Unmonitor End Time End Time: 130204, Reason: Terminated
Monitor Duration 3.76s
Return Code 0
PID 3996
Parent PID 3820
Bitness 32 Bit
Host Behavior
Type Count
Module 237
System 2
Process 469
User 2
- 28
Environment 1
- 4
X-Ray Vision for Malware - www.vmray.com 32 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #23: powershell.exe
ID 23
Filename c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
Initial Working Directory C:\Windows\System32\WindowsPowerShell\v1.0\
Monitor Start Time Start Time: 128734, Reason: Child Process
Unmonitor End Time End Time: 205757, Reason: Terminated
Monitor Duration 77.02s
Return Code 0
PID 4016
Parent PID 3996
Bitness 64 Bit
Host Behavior
Type Count
System 14
Module 4
File 355
Environment 19
Registry 31
- 23
X-Ray Vision for Malware - www.vmray.com 33 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #24: wscript.exe
ID 24
Filename c:\windows\syswow64\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\Users\kEecfMwgj\AppData\Local\Temp\zRtceyajbxffti.vbs"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 143806, Reason: Child Process
Unmonitor End Time End Time: 156867, Reason: Terminated
Monitor Duration 13.06s
Return Code 0
PID 4068
Parent PID 3820
Bitness 32 Bit
Host Behavior
Type Count
System 15
Module 22
Registry 27
- 1
Window 2
COM 5
File 4
Process 1
X-Ray Vision for Malware - www.vmray.com 34 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #25: kvfwecxf.or3.exe
ID 25
Filename c:\users\keecfmwgj\appdata\local\temp\kvfwecxf.or3.exe
Command Line C:\Users\kEecfMwgj\AppData\Local\Temp\Kvfwecxf.OR3.exe
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 148624, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 141.97s
Return Code Unknown
PID 2860
Parent PID 3820
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x400000(4194304) 0x200 1 p\kvfwecxf.or3.exe
#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x402000(4202496) 0x35800 1 p\kvfwecxf.or3.exe
#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x438000(4423680) 0x600 1 p\kvfwecxf.or3.exe
#1: c: Modify Memory \users\keecfmwgj\deskto 0xef0 0x43a000(4431872) 0x200 1 p\kvfwecxf.or3.exe
#1: c: 0x7efde008(213056717 Modify Memory \users\keecfmwgj\deskto 0xef0 0x4 1 6) p\kvfwecxf.or3.exe
#1: c: Modify Control Flow \users\keecfmwgj\deskto 0xef0 / 0xb30 - 1 p\kvfwecxf.or3.exe
Host Behavior
Type Count
Registry 124
File 128
Module 53
Window 6
System 16
User 4
- 30
COM 52
Environment 26
- 2
Mutex 2
X-Ray Vision for Malware - www.vmray.com 35 / 53 DYNAMIC ANALYSIS REPORT #1298037
Network Behavior
Type Count
DNS 2
TCP 1
X-Ray Vision for Malware - www.vmray.com 36 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #26: powershell.exe
ID 26
Filename c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 155341, Reason: Child Process
Unmonitor End Time End Time: 197668, Reason: Terminated
Monitor Duration 42.33s
Return Code 1
PID 2928
Parent PID 4068
Bitness 32 Bit
Host Behavior
Type Count
System 48
Module 4
File 862
Environment 26
Registry 64
- 44
X-Ray Vision for Malware - www.vmray.com 37 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process #29: wmiapsrv.exe
ID 29
Filename c:\windows\system32\wbem\wmiapsrv.exe
Command Line C:\Windows\system32\wbem\WmiApSrv.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 229603, Reason: Child Process
Unmonitor End Time End Time: 290590, Reason: Terminated by Timeout
Monitor Duration 60.99s
Return Code Unknown
PID 2680
Parent PID 456
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 38 / 53 DYNAMIC ANALYSIS REPORT #1298037
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: \Users\kEecfMwgj\Deskt 275a1d8d7ae6503b4aa op\Kvfwecxf.OR3.exe, application/ c7a8636bcab66e3bfa0b C: Sample File 292.00 KB vnd.microsoft.portable- Create, Access, Write MALICIOUS b57215a1e1205107c1e \Users\kEecfMwgj\AppD executable 854809 ata\Local\Temp\Kvfwecx f.OR3.exe
29ae7b30ed8394c509c C: application/ 561f6117ea671ec412da \Users\kEecfMwgj\AppD Create, Access, Write, Dropped File 88.87 KB vnd.microsoft.portable- SUSPICIOUS 50d435099756bbb257fa ata\Local\Temp\Advance Delete executable fb10b dRun.exe
c14774447472f5eec655 C: d2046e6e4930b3bed48 \Users\kEecfMwgj\AppD Dropped File 92 bytes text/plain Create, Access, Write CLEAN 77de328d4f8a58416b71 ata\Local\Temp\zRtceyaj 44db2 bxffti.vbs
Filename
Filename Category Operations Verdict
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access, Read CLEAN 319\Config\machine.config
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config
C: \Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.ex Accessed File Access CLEAN e.config
C: \Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.ex Sample File Access CLEAN e
C: \Users\kEecfMwgj\AppData\Local\Temp\Adva Dropped File Create, Access, Write, Delete CLEAN ncedRun.exe
C: \Users\kEecfMwgj\AppData\Local\Temp\Adva Accessed File Access, Read CLEAN ncedRun.cfg
C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\yet.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\business.exe
C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\recently.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\force_thousand_come.exe
C:\Program Files\Windows Sidebar\heat- Accessed File Access CLEAN nothing-hotel.exe
C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\to_seem.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Mail\news_act_figure.exe
C:\Program Files Accessed File Access CLEAN (x86)\MSBuild\millionway.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\take_often_kid.exe
C:\Program Files\Windows NT\game.exe Accessed File Access CLEAN
C:\Program Files\Reference Accessed File Access CLEAN Assemblies\speech kind.exe
X-Ray Vision for Malware - www.vmray.com 39 / 53 DYNAMIC ANALYSIS REPORT #1298037
Filename Category Operations Verdict
C:\Program Files\Internet Accessed File Access CLEAN Explorer\whostrong.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\story-especially.exe
C:\Program Files (x86)\Microsoft Office\sure Accessed File Access CLEAN all.exe
C:\Program Files (x86)\Windows Mail\boy Accessed File Access CLEAN ever.exe
C:\Program Files\MSBuild\toward.exe Accessed File Access CLEAN
C:\Program Files\Windows Media Accessed File Access CLEAN Player\range_citizen.exe
C:\Program Files\Internet Explorer\hear Accessed File Access CLEAN whether former.exe
C:\Program Files\Uninstall Information\but- Accessed File Access CLEAN audience-teacher.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\alftp.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\3dftp.exe
C:\Program Files\Internet Accessed File Access CLEAN Explorer\absolutetelnet.exe
C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\barca.exe
C:\Program Files\Microsoft Office Accessed File Access CLEAN 15\bitkinex.exe
C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\coreftp.exe
C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\far.exe
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\filezilla.exe
C:\Program Files (x86)\Common Accessed File Access CLEAN Files\flashfxp.exe
C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\fling.exe
C:\Program Files\Windows Accessed File Access CLEAN Mail\foxmailincmail.exe
C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\gmailnotifierpro.exe
C:\Program Files\Windows Journal\icq.exe Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft Accessed File Access CLEAN OneDrive\ncftp.exe
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\leechftp.exe
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\notepad.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\operamail.exe
C:\Program Files (x86)\Common Accessed File Access CLEAN Files\outlook.exe
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\pidgin.exe
C:\Program Files\Uninstall Accessed File Access CLEAN Information\scriptftp.exe
C:\Program Files Accessed File Access CLEAN (x86)\Microsoft.NET\skype.exe
X-Ray Vision for Malware - www.vmray.com 40 / 53 DYNAMIC ANALYSIS REPORT #1298037
Filename Category Operations Verdict
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\smartftp.exe
C:\Program Files (x86)\Windows Portable Accessed File Access CLEAN Devices\thunderbird.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\trillian.exe
C:\Program Files\MSBuild\webdrive.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\whatsapp.exe
C:\Program Files\Uninstall Accessed File Access CLEAN Information\winscp.exe
C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\yahoomessenger.exe
C:\Program Files (x86)\Windows NT\active- Accessed File Access CLEAN charge.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\accupos.exe
C:\Program Files\MSBuild\afr38.exe Accessed File Access CLEAN
C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\aldelo.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\ccv_server.exe
C:\Program Files\Windows Accessed File Access CLEAN Mail\centralcreditcard.exe
C:\Program Files\Internet Accessed File Access CLEAN Explorer\creditservice.exe
C:\Program Files\Reference Accessed File Access CLEAN Assemblies\edcsvr.exe
C:\Program Files\Windows Mail\fpos.exe Accessed File Access CLEAN
C:\Program Files\DVD Maker\isspos.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\mxslipstream.exe
C:\Program Files\Windows Mail\omnipos.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Accessed File Access CLEAN Mail\spcwin.exe
C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\spgagentservice.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\utg2.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\help_against_deep.exe
C:\Program Files\Uninstall Accessed File Access CLEAN Information\blood_book_until.exe
C:\Program Files\Windows Mail\picture.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Sidebar\until Accessed File Access CLEAN choose physical.exe
C: \Users\kEecfMwgj\AppData\Local\Temp\zRtc Dropped File Create, Access, Write CLEAN eyajbxffti.vbs
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe
C: \Users\kEecfMwgj\AppData\Local\Temp\Kvfw Sample File Create, Access, Write CLEAN ecxf.OR3.exe
X-Ray Vision for Malware - www.vmray.com 41 / 53 DYNAMIC ANALYSIS REPORT #1298037
Filename Category Operations Verdict
C:\Windows\SysWOW64\WScript.exe Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Local\Temp\Kvfw Accessed File Access CLEAN ecxf.OR3.exe.config
C: \Windows\SysWOW64\WindowsPowerShell\v Accessed File Access CLEAN 1.0\powershell.exe
C:\Users\kEecfMwgj\Desktop\ %SystemRoot% Accessed File Access CLEAN \system32\WindowsPowerShell\v1.0\
C:\Windows\system32 Accessed File Access CLEAN
C:\Windows Accessed File Access CLEAN
C:\Windows\System32\Wbem Accessed File Access CLEAN
C: \Windows\System32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\
C:\Program Accessed File Access CLEAN Files\WindowsPowerShell\Modules
C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psd1
C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psm1
C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN cdxml
C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN xaml
C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN ni.dll
C:\Program Files\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN dll
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access, Read CLEAN Management\1.0.0.1\PackageManagement.p sd1
C: \Users\kEecfMwgj\AppData\Local\Microsoft\ Accessed File Access CLEAN Windows\PowerShell\ModuleAnalysisCache
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psd1
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psm1
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.cdxml
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.xaml
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.ni.dll
X-Ray Vision for Malware - www.vmray.com 42 / 53 DYNAMIC ANALYSIS REPORT #1298037
Filename Category Operations Verdict
C:\Program Files\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.dll
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PowerShellGet.psd1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en-US\PowerShellGet.psd1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en\PowerShellGet.psd1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PSModule.psm1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Format.ps1xml
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Resource.psd1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGetModuleInfo.xml
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psd1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psm1
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.cdxml
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.xaml
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.ni.dll
C:\Program Files\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.dll
C: \Users\kEecfMwgj\Documents\WindowsPowe Accessed File Access CLEAN rShell\Modules
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\Modules
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN psm1
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN cdxml
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN xaml
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN ni.dll
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules. Accessed File Access CLEAN dll
X-Ray Vision for Malware - www.vmray.com 43 / 53 DYNAMIC ANALYSIS REPORT #1298037
Filename Category Operations Verdict
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access, Read CLEAN Management\1.0.0.1\PackageManagement.p sd1
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.psm1
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.cdxml
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.xaml
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.ni.dll
C:\Program Files (x86)\WindowsPowerShell\Modules\Package Accessed File Access CLEAN Management\PackageManagement.dll
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PowerShellGet.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en-US\PowerShellGet.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\en\PowerShellGet.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access, Read CLEAN ellGet\1.0.0.1\PSModule.psm1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Format.ps1xml
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGet.Resource.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\1.0.0.1\PSGetModuleInfo.xml
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.psm1
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.cdxml
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.xaml
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.ni.dll
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerSh Accessed File Access CLEAN ellGet\PowerShellGet.dll
X-Ray Vision for Malware - www.vmray.com 44 / 53 DYNAMIC ANALYSIS REPORT #1298037
Filename Category Operations Verdict
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.psd1
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.psm1
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.cdxml
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.xaml
C: \Windows\system32\WindowsPowerShell\v1. Accessed File Access CLEAN 0\Modules\Modules.ni.dll Reduced dataset
URL
URL Category IP Address Country HTTP Methods Verdict
http:// launcher.worldofwarcraft.com 137.221.106.103 GET CLEAN /alert
Domain
Domain IP Address Country Protocols Verdict
launcher.worldofwarcraft.com 137.221.106.103 DNS, HTTP CLEAN
208.91.199.224, 208.91.199.223, smtp.oneoceanmaritimes.com DNS CLEAN 208.91.198.143, 208.91.199.225
208.91.199.224, 208.91.198.143, us2.smtp.mailhostbox.com DNS CLEAN 208.91.199.223, 208.91.199.225
IP
IP Address Domains Country Protocols Verdict
smtp.oneoceanmaritimes.com, 208.91.198.143 United States DNS MALICIOUS us2.smtp.mailhostbox.com
192.168.0.1 - DNS, UDP CLEAN
137.221.106.103 launcher.worldofwarcraft.com United Kingdom DNS, TCP, HTTP CLEAN
smtp.oneoceanmaritimes.com, 208.91.199.225 United States DNS, TCP CLEAN us2.smtp.mailhostbox.com
smtp.oneoceanmaritimes.com, 208.91.199.223 United States DNS CLEAN us2.smtp.mailhostbox.com
smtp.oneoceanmaritimes.com, 208.91.199.224 United States DNS CLEAN us2.smtp.mailhostbox.com
-
Email Address
-
X-Ray Vision for Malware - www.vmray.com 45 / 53 DYNAMIC ANALYSIS REPORT #1298037
Mutex
Name Operations Parent Process Name Verdict
Ojimkn access kvfwecxf.or3.exe CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access powershell.exe, kvfwecxf.or3.exe CLEAN osoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE access powershell.exe, kvfwecxf.or3.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft access kvfwecxf.or3.exe CLEAN \Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access kvfwecxf.or3.exe CLEAN osoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR access, read kvfwecxf.or3.exe CLEAN euseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.UseHttpPipeliningAnd BufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseHttpPip access, read kvfwecxf.or3.exe CLEAN eliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.UseSafeSynchronous Close
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseSafeSy access, read kvfwecxf.or3.exe CLEAN nchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.UseStrictRfcInterimRe sponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseStrictRf access, read kvfwecxf.or3.exe CLEAN cInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access kvfwecxf.or3.exe CLEAN .AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\AllowDang access, read kvfwecxf.or3.exe CLEAN erousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access kvfwecxf.or3.exe CLEAN .UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\UseStrictIP access, read kvfwecxf.or3.exe CLEAN v6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Uri access kvfwecxf.or3.exe CLEAN .AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\AllowAllUri access, read kvfwecxf.or3.exe CLEAN EncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr access, read kvfwecxf.or3.exe CLEAN ongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.SchSendAuxRecord
X-Ray Vision for Malware - www.vmray.com 46 / 53 DYNAMIC ANALYSIS REPORT #1298037
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchSendA access, read kvfwecxf.or3.exe CLEAN uxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SystemDef access, read kvfwecxf.or3.exe CLEAN aultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access kvfwecxf.or3.exe CLEAN t.ServicePointManager.RequireCertificateEK Us
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\RequireCe access, read kvfwecxf.or3.exe CLEAN rtificateEKUs
HKEY_CURRENT_USER access kvfwecxf.or3.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access kvfwecxf.or3.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access kvfwecxf.or3.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access kvfwecxf.or3.exe CLEAN t Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access kvfwecxf.or3.exe CLEAN osoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access, read kvfwecxf.or3.exe CLEAN osoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read kvfwecxf.or3.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\Microsoft create, access wscript.exe CLEAN \Windows Script Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft create, access wscript.exe CLEAN \Windows Script Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\IgnoreUserSettings
HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Enabled
HKEY_CURRENT_USER\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\LogSecuritySuccesses
X-Ray Vision for Malware - www.vmray.com 47 / 53 DYNAMIC ANALYSIS REPORT #1298037
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\TrustPolicy
HKEY_CURRENT_USER\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows Script access, read wscript.exe CLEAN Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft access, read wscript.exe CLEAN \Windows Script Host\Settings\DisplayLogo
HKEY_CLASSES_ROOT\.vbs access, read wscript.exe CLEAN
HKEY_CLASSES_ROOT\VBSFile\ScriptEngi access, read wscript.exe CLEAN ne
HKEY_PERFORMANCE_DATA access powershell.exe, kvfwecxf.or3.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft access kvfwecxf.or3.exe CLEAN \.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin access, read kvfwecxf.or3.exe CLEAN g
HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft access kvfwecxf.or3.exe CLEAN \Wbem\Scripting
HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \Wbem\Scripting\Default Impersonation Level
HKEY_LOCAL_MACHINE\Software\Microsoft access, read kvfwecxf.or3.exe CLEAN \Wbem\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\WMIDisabl access, read kvfwecxf.or3.exe CLEAN eCOMSecurity
HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\Windows\PowerShell\ScriptBlockLo access powershell.exe CLEAN gging
HKEY_CURRENT_USER\Software\Policies\ Microsoft\Windows\PowerShell\ScriptBlockLo access powershell.exe CLEAN gging
HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Control\Session access powershell.exe CLEAN Manager\Environment
HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Control\Session access, read powershell.exe CLEAN Manager\Environment\__PSLockdownPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft access powershell.exe CLEAN \PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\Software\Microsoft \PowerShell\3\PowerShellEngine\Application access, read powershell.exe CLEAN Base
HKEY_LOCAL_MACHINE\SOFTWARE\Wow access kvfwecxf.or3.exe CLEAN 6432Node\RealVNC\WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Wow access kvfwecxf.or3.exe CLEAN 6432Node\RealVNC\WinVNC4
X-Ray Vision for Malware - www.vmray.com 48 / 53 DYNAMIC ANALYSIS REPORT #1298037
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\vncserver
HKEY_CURRENT_USER\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\vncserver
HKEY_LOCAL_MACHINE\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Real access kvfwecxf.or3.exe CLEAN VNC\WinVNC4
HKEY_LOCAL_MACHINE\Software\ORL\Win access kvfwecxf.or3.exe CLEAN VNC3
HKEY_CURRENT_USER\Software\ORL\Win access kvfwecxf.or3.exe CLEAN VNC3
HKEY_LOCAL_MACHINE\Software\TightVN access kvfwecxf.or3.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\TightVNC access kvfwecxf.or3.exe CLEAN \Server
HKEY_LOCAL_MACHINE\Software\TigerVN access kvfwecxf.or3.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\TigerVN access kvfwecxf.or3.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access kvfwecxf.or3.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access kvfwecxf.or3.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email
X-Ray Vision for Malware - www.vmray.com 49 / 53 DYNAMIC ANALYSIS REPORT #1298037
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read kvfwecxf.or3.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password
HKEY_CURRENT_USER\Software\Aerofox\ access kvfwecxf.or3.exe CLEAN FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\ access kvfwecxf.or3.exe CLEAN Foxmail\V3.1
HKEY_CURRENT_USER\Software\OpenVP access kvfwecxf.or3.exe CLEAN N-GUI\configs
HKEY_CURRENT_USER\Software\IncrediM access kvfwecxf.or3.exe CLEAN ail\Identities
HKEY_CURRENT_USER\Software\FTPWare access, read kvfwecxf.or3.exe CLEAN \COREFTP\Sites\Host
HKEY_CURRENT_USER\Software\RimArts\ access kvfwecxf.or3.exe CLEAN B2\Settings
HKEY_CURRENT_USER\Software\Qualcom access kvfwecxf.or3.exe CLEAN m\Eudora\CommandLine
HKEY_CURRENT_USER\SOFTWARE\Marti access kvfwecxf.or3.exe CLEAN n Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\Downloa access kvfwecxf.or3.exe CLEAN dManager\Passwords
X-Ray Vision for Malware - www.vmray.com 50 / 53 DYNAMIC ANALYSIS REPORT #1298037
Process
Process Name Commandline Verdict
"C: \Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" / advancedrun.exe EXEFilename "C:\Windows\System32\sc.exe" /WindowState MALICIOUS 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
kvfwecxf.or3.exe "C:\Users\kEecfMwgj\Desktop\Kvfwecxf.OR3.exe" SUSPICIOUS
sc.exe "C:\Windows\System32\sc.exe" stop WinDefend SUSPICIOUS
"C: \Users\kEecfMwgj\AppData\Local\Temp\AdvancedRun.exe" / EXEFilename "C: advancedrun.exe \Windows\System32\WindowsPowerShell\v1.0\powershell.exe SUSPICIOUS " /WindowState 0 /CommandLine "rmdir 'C: \ProgramData\Microsoft\Windows Defender' -Recurse" / StartDirectory "" /RunAs 8 /Run
kvfwecxf.or3.exe C:\Users\kEecfMwgj\AppData\Local\Temp\Kvfwecxf.OR3.exe SUSPICIOUS
System CLEAN
services.exe C:\Windows\system32\services.exe CLEAN
svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch CLEAN
svchost.exe C:\Windows\system32\svchost.exe -k RPCSS CLEAN
C:\Windows\System32\svchost.exe -k svchost.exe CLEAN LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k svchost.exe CLEAN LocalSystemNetworkRestricted
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN
svchost.exe C:\Windows\system32\svchost.exe -k LocalService CLEAN
svchost.exe C:\Windows\system32\svchost.exe -k NetworkService CLEAN
spoolsv.exe C:\Windows\System32\spoolsv.exe CLEAN
taskhost.exe "taskhost.exe" CLEAN
svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork CLEAN
"C:\Program Files\Common Files\Microsoft officeclicktorun.exe CLEAN Shared\ClickToRun\OfficeClickToRun.exe" /service
taskhost.exe taskhost.exe $(Arg0) CLEAN
C:\Windows\system32\svchost.exe -k svchost.exe CLEAN LocalServiceAndNoImpersonation
sppsvc.exe C:\Windows\system32\sppsvc.exe CLEAN
wmiapsrv.exe C:\Windows\system32\wbem\WmiApSrv.exe CLEAN
trustedinstaller.exe C:\Windows\servicing\TrustedInstaller.exe CLEAN
"C: \Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe CLEAN " rmdir 'C:\ProgramData\Microsoft\Windows Defender' - Recurse
"C:\Windows\System32\WScript.exe" "C: wscript.exe CLEAN \Users\kEecfMwgj\AppData\Local\Temp\zRtceyajbxffti.vbs"
"C: powershell.exe \Windows\System32\WindowsPowerShell\v1.0\powershell.exe CLEAN " Add-MpPreference -ExclusionPath C:\
X-Ray Vision for Malware - www.vmray.com 51 / 53 DYNAMIC ANALYSIS REPORT #1298037
YARA / AV
No YARA or AV matches available.
X-Ray Vision for Malware - www.vmray.com 52 / 53 DYNAMIC ANALYSIS REPORT #1298037
ENVIRONMENT
Virtual Machine Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-05-03 03:30:35+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 53 / 53