MALICIOUS
Classifications: Spyware
Threat Names: Generic.Andromeda.94893D17 Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe
ID #2611410
MD5 d9f8f2a93e3e4a08e12a95410d2823ac
SHA1 3224a3ac0afacaed0e1bdf961ce265def1c38927
SHA256 1f492469176d1d0bbf71de0503ac4788f7489b20e2f53f179c2826a0998038dc
File Size 1195.00 KB
Report Created 2021-08-12 10:23 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | exe
OVERVIEW
VMRay Threat Identifiers (23 rules, 59 matches)
Score Category Operation Count Classification
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
Tries to read sensitive data of: NCH Fling, Google Talk, Internet Explorer / Edge, Microsoft Outlook, Windows Mail, BulletProof FTP, IncrediMail, Pidgin, CoreFTP, NCH Classic FTP, WinSCP, Pocomail, FileZilla, FAR Manager, Mozilla Firefox, Opera.
•
4/5 System Modification Modifies network configuration 2 -
(Process #3) rundll32.exe modifies the proxy configuration by setting registry value "ProxyServer" to "127.0.0.1:3675".
(Process #3) rundll32.exe modifies the proxy configuration by setting registry value "ProxyEnable" to "1".
•
•
4/5 Antivirus Malicious content was detected by heuristic scan 1 -
Built-in AV detected a memory dump of (process #1) d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe as "Generic.Andromeda.94893D17".
•
2/5 Hide Tracks Hides files 1 -
(Process #2) rundll32.exe hides the file "C:\Users\KEECFM~1\Desktop\D9F8F2~1.EXE" by setting its "hidden" attribute.
•
2/5 Data Collection Reads sensitive browser data 4 -
(Process #3) rundll32.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
(Process #3) rundll32.exe tries to read sensitive data of web browser "Opera" by file.
(Process #3) rundll32.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
(Process #3) rundll32.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
•
•
•
•
2/5 Data Collection Reads sensitive application data 3 -
(Process #3) rundll32.exe tries to read sensitive data of application "Google Talk" by registry.
(Process #3) rundll32.exe tries to read sensitive data of application "Pidgin" by file.
(Process #3) rundll32.exe tries to read sensitive data of application "WinSCP" by registry.
•
•
•
2/5 Data Collection Reads sensitive mail data 4 -
(Process #3) rundll32.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
(Process #3) rundll32.exe tries to read sensitive data of mail application "IncrediMail" by registry.
(Process #3) rundll32.exe tries to read sensitive data of mail application "Pocomail" by file.
(Process #3) rundll32.exe tries to read sensitive data of mail application "Windows Mail" by file.
•
•
•
•
2/5 Data Collection Reads sensitive ftp data 6 -
(Process #3) rundll32.exe tries to read sensitive data of ftp application "FAR Manager" by registry.
(Process #3) rundll32.exe tries to read sensitive data of ftp application "FileZilla" by file.
(Process #3) rundll32.exe tries to read sensitive data of ftp application "BulletProof FTP" by registry.
(Process #3) rundll32.exe tries to read sensitive data of ftp application "CoreFTP" by registry.
(Process #3) rundll32.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.
(Process #3) rundll32.exe tries to read sensitive data of ftp application "NCH Fling" by registry.
•
•
•
•
•
•
2/5 Discovery Queries OS version via WMI 1 -
(Process #3) rundll32.exe queries OS version via WMI.
•
2/5 Discovery Executes WMI query 3 -
X-Ray Vision for Malware - www.vmray.com 2 / 32
Score Category Operation Count Classification
(Process #3) rundll32.exe executes WMI query: SELECT * FROM Win32_OperatingSystem.
(Process #3) rundll32.exe executes WMI query: SELECT * FROM Win32_ComputerSystem.
(Process #3) rundll32.exe executes WMI query: SELECT * FROM Win32_NetworkAdapter.
•
•
•
2/5 Discovery Collects hardware properties 1 -
(Process #3) rundll32.exe queries hardware properties via WMI.
•
2/5 Discovery Reads network adapter information 1 -
(Process #3) rundll32.exe queries information about the network adapters via WMI.
•
2/5 Anti Analysis Delays execution 1 -
(Process #3) rundll32.exe has a thread which sleeps more than 5 minutes.
•
2/5 Network Connection Sets up server that accepts incoming connections 2 -
(Process #3) rundll32.exe starts a TCP server listening on localhost port 3674.
(Process #3) rundll32.exe starts a TCP server listening on localhost port 3675.
•
•
1/5 Hide Tracks Creates process with hidden window 2 -
(Process #1) d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe starts (process #2) rundll32.exe with a hidden window.
(Process #9) powershell.exe starts (process #10) nslookup.exe with a hidden window.
•
•
1/5 Discovery Tries to get network statistics 1 -
(Process #3) rundll32.exe gets network statistics via API.
•
1/5 Discovery Enumerates running processes 1 -
(Process #3) rundll32.exe enumerates running processes.
•
1/5 Discovery Possibly does reconnaissance 16 -
(Process #3) rundll32.exe tries to gather information about application "Mozilla Firefox" by file.
(Process #3) rundll32.exe tries to gather information about application "Mozilla" by registry.
(Process #3) rundll32.exe tries to gather information about application "RealVNC" by registry.
(Process #3) rundll32.exe tries to gather information about application "MSN Messenger" by registry.
(Process #3) rundll32.exe tries to gather information about application "Microsoft MessengerService" by registry.
(Process #3) rundll32.exe tries to gather information about application "Yahoo Pager" by registry.
(Process #3) rundll32.exe tries to gather information about application "Paltalk" by registry.
(Process #3) rundll32.exe tries to gather information about application "Pidgin" by file.
(Process #3) rundll32.exe tries to gather information about application "Qualcomm Eudora" by registry.
(Process #3) rundll32.exe tries to gather information about application "Pocomail" by file.
(Process #3) rundll32.exe tries to gather information about application "Total Commander" by registry.
(Process #3) rundll32.exe tries to gather information about application "FlashFXP" by file.
(Process #3) rundll32.exe tries to gather information about application "FileZilla" by file.
(Process #3) rundll32.exe tries to gather information about application "SmartFTP" by file.
(Process #3) rundll32.exe tries to gather information about application "SecureFX" by registry.
(Process #3) rundll32.exe tries to gather information about application "WinSCP" by registry.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1/5 Privilege Escalation Enables process privilege 1 -
Score Category Operation Count Classification
1/5 User Data Modification Uses encryption API 1 -
(Process #3) rundll32.exe uses above average number of encryption APIs.
•
1/5 Obfuscation Resolves API functions dynamically 3 -
(Process #1) d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe resolves 130 API functions by name.
(Process #2) rundll32.exe resolves 327 API functions by name.
(Process #3) rundll32.exe resolves 388 API functions by name.
•
•
•
1/5 Execution Drops PE file 1 -
(Process #1) d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe drops file "C:\Users\KEECFM~1\Desktop\D9F8F2~1.EXE.tmp".
•
1/5 Network Connection Connects to remote host 2 -
(Process #2) rundll32.exe opens an outgoing TCP connection to host "142.11.244.124:443".
(Process #3) rundll32.exe opens an outgoing TCP connection to host "142.11.244.124:443".
•
•
X-Ray Vision for Malware - www.vmray.com 4 / 32
Mitre ATT&CK Matrix
Initial Access Execution Persistence Privilege Escalation
Defense Evasion
Credential
Access Discovery Lateral
Movement Collection Command
and Control Exfiltration Impact
#T1047 Windows Management Instrumentation
#T1158 Hidden Files and Directories
#T1143 Hidden Window
#T1081 Credentials in
Files
#T1016 System Network Configuration
Discovery
#T1119 Automated Collection
#T1090 Connection
Proxy
#T1158 Hidden Files and Directories
#T1214 Credentials in
Registry
#T1049 System Network Connections
Discovery
#T1005 Data from Local
System
#T1112 Modify Registry
#T1057 Process Discovery
#T1045 Software Packing
#T1083 File and Directory
Discovery
#T1012 Query Registry
#T1217 Browser Bookmark Discovery
#T1082 System Information
Discovery
Sample Information
Analysis Information
ID #2611410
MD5 d9f8f2a93e3e4a08e12a95410d2823ac
SHA1 3224a3ac0afacaed0e1bdf961ce265def1c38927
SHA256 1f492469176d1d0bbf71de0503ac4788f7489b20e2f53f179c2826a0998038dc
SSDeep 24576:8CxesLTH1zZ5SBuKo8lLKgiK5E+WDG6+cTyyF8sFv:bL5V4toTT+WDG6+cmyF
ImpHash 0b2673717edc4e64b07cfaab3e6cb412
File Name d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe
File Size 1195.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Creation Time 2021-08-12 10:23 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 7
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 1
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 6 / 32
X-Ray Vision for Malware - www.vmray.com 8 / 32
NETWORK
General
DNS
HTTP/S
9.24 KB total sent13448.23 KB total received 2 ports 443, 53
2 contacted IP addresses
0 URLs extracted 0 files downloaded
0 malicious hosts detected
0 DNS requests for 0 domains 0 nameservers contacted
0 total requests returned errors
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes received
BEHAVIOR
Process Graph
Sample Start #1
d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe
#2 rundll32.exe
Child Process #3
rundll32.exe Child Process
#4 rundll32.exe Child Process
#5 powershell.exe Child Process
#9 powershell.exe Child Process
#10 nslookup.exe Child Process
X-Ray Vision for Malware - www.vmray.com 10 / 32
Process #1: d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe
Dropped Files (1)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
ID 1
File Name c:\users\keecfmwgj\desktop\d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe Command Line "C:\Users\kEecfMwgj\Desktop\d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 43975, Reason: Analysis Target Unmonitor End Time End Time: 79381, Reason: Terminated
Monitor duration 35.41s
Return Code 0
PID 3816
Parent PID 876
Bitness 32 Bit
C:\Users\KEECFM~1\Desktop\D9F8F2~1.EXE.tmp 1359.00 KB 1fa280b8c7348e215595f000e4d97a49813cb4c0dd030837ac637ad6092 3942b
System 325
Module 224
File 8
Environment 1
Registry 12
Process 1
Process #2: rundll32.exe
Dropped Files (1)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
Network Behavior
Type Count
ID 2
File Name c:\windows\syswow64\rundll32.exe
Command Line C:\Windows\system32\rundll32.exe C:\Users\KEECFM~1\Desktop\D9F8F2~1.TMP,S C:\Users\KEECFM~1\Desktop\D9F8F2~1.EXE
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 75245, Reason: Child Process Unmonitor End Time End Time: 115771, Reason: Terminated
Monitor duration 40.53s
Return Code 0
PID 3844
Parent PID 3816
Bitness 32 Bit
C:\PROGRA~3\Jvgzbfh.tmp 10240.00 KB f3b50ef03f56a052f5cf9e6f7eca44b8b1062527cffd5458d41592cd4cee11f
e
System 111
Module 483
Registry 266
- 6
File 80
Process 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 12 / 32
Process #3: rundll32.exe
Dropped Files (4)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
Network Behavior
Type Count
ID 3
File Name c:\windows\syswow64\rundll32.exe
Command Line C:\Windows\system32\RUNDLL32.EXE C:\Users\KEECFM~1\Desktop\D9F8F2~1.TMP,QjUNQ0twTnBO
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 112881, Reason: Child Process Unmonitor End Time End Time: 284965, Reason: Terminated by Timeout
Monitor duration 172.08s
Return Code Unknown
PID 3920
Parent PID 3844
Bitness 32 Bit
C:\ProgramData\Jvgzbfh.tmp 10240.00 KB f3b50ef03f56a052f5cf9e6f7eca44b8b1062527cffd5458d41592cd4cee11f e
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp5DE.tmp.ps1 264 bytes 32d8d3e61d0128068cc92b8aab0782c6feecc62041974eaaae32ab55840 01aff
C:\Users\kEecfMwgj\AppData\Local\Temp\tmpD3F7.tmp.ps1 84 bytes a2b5fe144619daa9be9b4122c0e2ebe8d03a7a9704a66168504247698d6 a00f5
C:\Users\kEecfMwgj\AppData\Local\Temp\tmpD3F8.tmp 514 bytes c3dbd227d0bc268b0765b1d9f87ef23d309c45dd77d6d9f8eb87a7fcc942 27e7
System 13303
Module 651
Registry 2445
- 45
File 248
Process 388
Window 7
User 6
COM 45
- 4
- 6
Keyboard 1
Environment 1
TCP 1
Process #4: rundll32.exe
ID 4
File Name c:\windows\syswow64\rundll32.exe
Command Line "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\wininet.dll",DispatchAPICall 1
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 134487, Reason: Child Process Unmonitor End Time End Time: 138998, Reason: Terminated
Monitor duration 4.51s
Return Code 0
PID 3972
Parent PID 3920
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 14 / 32
Process #5: powershell.exe
Host Behavior
Type Count
ID 5
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\kEecfMwgj\AppData\Local\Temp\tmp5DE.tmp.ps1"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 162711, Reason: Child Process Unmonitor End Time End Time: 215925, Reason: Terminated
Monitor duration 53.21s
Return Code 0
PID 2800
Parent PID 3920
Bitness 32 Bit
Environment 26
File 578
System 40
Registry 59
Module 4
- 30
Process #9: powershell.exe
Host Behavior
Type Count
ID 9
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\kEecfMwgj\AppData\Local\Temp\tmpD3F7.tmp.ps1"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 237670, Reason: Child Process Unmonitor End Time End Time: 257153, Reason: Terminated
Monitor duration 19.48s
Return Code 0
PID 1896
Parent PID 3920
Bitness 32 Bit
Environment 22
File 555
System 28
Registry 59
Process 1
Module 5
- 32
- 1
X-Ray Vision for Malware - www.vmray.com 16 / 32
Process #10: nslookup.exe
Host Behavior
Type Count
Network Behavior
Type Count
ID 10
File Name c:\windows\syswow64\nslookup.exe
Command Line "C:\Windows\system32\nslookup.exe" -type=any localhost
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 254403, Reason: Child Process Unmonitor End Time End Time: 256950, Reason: Terminated
Monitor duration 2.55s
Return Code 0
PID 3536
Parent PID 1896
Bitness 32 Bit
System 4
Module 1
Registry 7
File 15
UDP 1
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
Filename
File Name Category Operations Verdict
1f492469176d1d0bbf71de05 03ac4788f7489b20e2f53f179 c2826a0998038dc
C:
\Users\kEecfMwgj\Desktop\d9f8f2a93
e3e4a08e12a95410d2823ac.virus.exe Sample File 1195.00 KB
application/
vnd.microsoft.portable-
executable Access MALICIOUS
2fab073d2db7c01137879e36 0ab381abf1d7cce8dfb7c152 690b1c7f944b2f2f
C:
\Users\KEECFM~1\Desktop\D9F8F2
~1.EXE Modified File 1195.00 KB application/octet-stream Access, Write CLEAN
f3b50ef03f56a052f5cf9e6f7e ca44b8b1062527cffd5458d4 1592cd4cee11fe
C:\PROGRA~3\Jvgzbfh.tmp, C:
\ProgramData\Jvgzbfh.tmp Dropped File 10240.00 KB application/octet-stream Access, Read, Create, Write CLEAN
1fa280b8c7348e215595f000 e4d97a49813cb4c0dd03083 7ac637ad60923942b
C:
\Users\KEECFM~1\Desktop\D9F8F2
~1.EXE.tmp Dropped File 1359.00 KB application/
vnd.microsoft.portable-
executable Access, Create, Write CLEAN
32d8d3e61d0128068cc92b8 aab0782c6feecc62041974ea aae32ab5584001aff
C:
\Users\kEecfMwgj\AppData\Local\Te
mp\tmp5DE.tmp.ps1 Dropped File 264 bytes text/plain Access, Read, Create, Write CLEAN
a2b5fe144619daa9be9b4122 c0e2ebe8d03a7a9704a6616 8504247698d6a00f5
C:
\Users\kEecfMwgj\AppData\Local\Te mp\tmpD3F7.tmp.ps1
Dropped File 84 bytes text/plain Access, Read, Write, Delete,
Create CLEAN
c3dbd227d0bc268b0765b1d 9f87ef23d309c45dd77d6d9f8 eb87a7fcc94227e7
C:
\Users\kEecfMwgj\AppData\Local\Te
mp\tmpD3F8.tmp Dropped File 514 bytes text/plain Access, Read, Write, Delete,
Create CLEAN
C:
\Users\kEecfMwgj\Desktop\d9f8f2a93e3e4a08e12a95410d2823ac.viru
s.exe Sample File Access CLEAN
C:\Users\KEECFM~1\Desktop\D9F8F2~1.EXE.tmp Dropped File Access, Create, Write CLEAN
C:\Windows\system32\rundll32.exe Accessed File Access CLEAN
C:\Users\KEECFM~1\Desktop\D9F8F2~1.TMP Accessed File Access CLEAN
C:\Windows\SysWOW64\rundll32.exe Accessed File Access CLEAN
C:\Users\KEECFM~1\Desktop\D9F8F2~1.EXE Modified File Access, Write CLEAN
C:\PROGRA~3\Jvgzbfh.tmp Dropped File Access, Read, Create, Write CLEAN
000E Accessed File Access CLEAN
C:\Windows\SysWOW64\RUNDLL32.EXE Accessed File Access CLEAN
C:\ProgramData\Jvgzbfh.tmp Dropped File Access, Read, Write, Create CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Mozilla\Firefox\profiles.ini Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\FTPRush\RushSite.xml Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Apple
Computer\Safari\Preferences\keychain.plist Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera Software\Opera Stable Accessed File Access CLEAN
C:\Program Files\Opera\ Accessed File Access CLEAN
C:\Program Files (x86)\Opera\ Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Programs\Opera\ Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera\wand.dat Accessed File Access CLEAN
C:\ProgramData\Opera\wand.dat Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 18 / 32
File Name Category Operations Verdict
C:\Users\kEecfMwgj\AppData\Roaming\Opera 9 Beta\wand.dat Accessed File Access CLEAN
C:\ProgramData\Opera 9 Beta\wand.dat Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera 10 Preview\wand.dat Accessed File Access CLEAN
C:\ProgramData\Opera 10 Preview\wand.dat Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera 10 Beta\wand.dat Accessed File Access CLEAN
C:\ProgramData\Opera 10 Beta\wand.dat Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Opera Software\Opera
Stable\Web Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Opera Software\Opera
Stable\Login Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera Software\Opera
Stable\Web Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera Software\Opera
Stable\Login Data Accessed File Access CLEAN
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Accessed File Access CLEAN
C:\Program Files\Google\Chrome\Application\chrome.exe Accessed File Access CLEAN
C:\Program Files (x86)\Trillian\users Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\.gaim\accounts.xml Accessed File Access CLEAN
C:\ProgramData\.gaim\accounts.xml Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\sim\clients.conf Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\sim\ Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\PsiData\profiles Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\.purple\accounts.xml Accessed File Access CLEAN
C:\ProgramData\.purple\accounts.xml Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\MySpace\IM\users.txt Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Pandion\global.xml Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Digsby\Digsby.dat Accessed File Access CLEAN
C:
\Users\kEecfMwgj\AppData\Roaming\Trillian\users\global\accounts.i ni
Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Trillian\users\global\accounts.ini Accessed File Access CLEAN
C:\ProgramData\Trillian\users\global\accounts.ini Accessed File Access CLEAN
C:\Windows Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Flexiblesoft\Dialer\Phones.tbl Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Flexiblesoft\Dialer
Lite\Phones.tbl Accessed File Access CLEAN
C:\Windows\Vd3main.dat Accessed File Access CLEAN
C:\Windows\Vd3User.dat Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Download Master Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Internet Download
File Name Category Operations Verdict
C:\ProgramData\PokerStars\user.ini Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\PokerStars\user.ini Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\BatMail\ Accessed File Access CLEAN
C Accessed File Access CLEAN
C:\ProgramData\BatMail\ Accessed File Access CLEAN
C:\ProgramData\Qualcomm\Eudora\Eudora.ini Accessed File Access, Read, Write CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Qualcomm\Eudora\Eudora.ini Accessed File Access, Read, Write CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\PocoMail\accounts.ini Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\PocoMail\poco.ini Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\POP Peeper\poppeeper.ini Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows Live Mail\ Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows Mail\
\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows Mail\
\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows Mail\
\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp5DE.tmp Accessed File Access, Create CLEAN
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp5EE.tmp Accessed File Access, Read, Create CLEAN
C:\Users\kEecfMwgj\AppData\Local\Temp Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp5DE.tmp.ps1 Dropped File Access, Read, Create, Write CLEAN
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN
C:\Users\kEecfMwgj\Desktop\%SystemRoot%
\system32\WindowsPowerShell\v1.0\ Accessed File Access CLEAN
C:\Windows\system32 Accessed File Access CLEAN
C:\Windows\System32\Wbem Accessed File Access CLEAN
C:\Windows\System32\WindowsPowerShell\v1.0\ Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Pa
ckageManagement.psd1 Accessed File Access, Read CLEAN
X-Ray Vision for Malware - www.vmray.com 20 / 32
File Name Category Operations Verdict C:
\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\M
oduleAnalysisCache Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM
anagement.psd1 Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM
anagement.psm1 Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM
anagement.cdxml Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM
anagement.xaml Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM
anagement.ni.dll Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM
anagement.dll Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerSh
ellGet.psd1 Accessed File Access, Read CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-
US\PowerShellGet.psd1 Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en\Power
ShellGet.psd1 Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModul
e.psm1 Accessed File Access, Read CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Fo
rmat.ps1xml Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Re source.psd1
Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGetMo
duleInfo.xml Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p
sd1 Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p
sm1 Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.c
dxml Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.x
aml Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.n
i.dll Accessed File Access CLEAN
C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll Accessed File Access CLEAN
C:\Users\kEecfMwgj\Documents\WindowsPowerShell\Modules Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN
File Name Category Operations Verdict
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Pa
ckageManagement.psd1 Accessed File Access, Read CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\Package
Management.psd1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\Package
Management.psm1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\Package
Management.cdxml Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\Package Management.xaml
Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\Package
Management.ni.dll Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PackageManagement\Package
Management.dll Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerSh
ellGet.psd1 Accessed File Access, Read CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-
US\PowerShellGet.psd1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en\Power
ShellGet.psd1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModul
e.psm1 Accessed File Access, Read CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Fo
rmat.ps1xml Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.R
esource.psd1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGetMo
duleInfo.xml Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p
sd1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p
sm1 Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.c
dxml Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.x
aml Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 22 / 32
File Name Category Operations Verdict
Reduced dataset IP
IP Address Domains Country Protocols Verdict
Registry
Registry Key Operations Parent Process Name Verdict
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.n
i.dll Accessed File Access CLEAN
C:\Program Files
(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.d
ll Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.psd 1
Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.ps
m1 Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.cdx
ml Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.xa
ml Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.d
ll Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.dll Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets Accessed File Access CLEAN
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po
werShell.Archive Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po
werShell.Diagnostics Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po
werShell.Host Accessed File Access CLEAN
C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po
werShell.Management Accessed File Access CLEAN
192.168.0.1 - - UDP, DNS CLEAN
142.11.244.124 - United States TCP CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\Internet Settings\ProxyServer access, write rundll32.exe MALICIOUS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\Internet Settings\ProxyEnable access, write rundll32.exe MALICIOUS
HKEY_CURRENT_USER\Software\Embarcadero\Locales access rundll32.exe, d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales access rundll32.exe, d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe CLEAN
Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\Software\CodeGear\Locales access rundll32.exe, d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe CLEAN
HKEY_CURRENT_USER\Software\Borland\Locales access rundll32.exe, d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe CLEAN
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales access rundll32.exe, d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\FontSubstitutes access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2 access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\AddressBook access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\AddressBook\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\Connection Manager access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\Connection Manager\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\DirectDrawEx access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\DirectDrawEx\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\Fontcore access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\Fontcore\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IE40 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IE40\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IE4Data access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IE4Data\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IE5BAKEX access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IE5BAKEX\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IEData access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\IEData\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\MobileOptionPack access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\MobileOptionPack\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\SchedulingAgent access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\SchedulingAgent\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\WIC access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\WIC\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{0FA68574-690B-4B00-89AA-B28946231449} access rundll32.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 24 / 32
Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{0FA68574-690B-4B00-89AA-
B28946231449}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{0FA68574-690B-4B00-89AA-
B28946231449}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2151757 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2151757\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2467173
access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2467173\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2524860 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2524860\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2544655 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2544655\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2549743 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2549743\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2565063 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB2565063\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB982573 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-
B0D5-35EC-8441-6616F567A0F7}.KB982573\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{2BC3BD4D-
FABA-4394-93C7-9AC82A263FE2}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{2BC3BD4D-
FABA-4394-93C7-9AC82A263FE2}\DisplayName access, read rundll32.exe CLEAN
Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{65e650ff-30be-469d-b63a-418d71ea1765} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{65e650ff-30be-469d-
b63a-418d71ea1765}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{65e650ff-30be-469d-
b63a-418d71ea1765}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{6913e92a-b64e-41c9-a5e6-cef39207fe89} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{6913e92a-b64e-41c9-a5e6-
cef39207fe89}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{6913e92a-b64e-41c9-a5e6-
cef39207fe89}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{710f4c1c-
cc18-4c49-8cbf-51240c89a1a2}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{710f4c1c-
cc18-4c49-8cbf-51240c89a1a2}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{90160000-008C-0000-0000-0000000FF1CE} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{90160000-008C-0409-0000-0000000FF1CE} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{92FB6C44-E685-45AD-9B20-
CADF4CABA132}.KB4503575 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{92FB6C44-E685-45AD-9B20-
CADF4CABA132}.KB4503575\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{92FB6C44-E685-45AD-9B20-
CADF4CABA132}.KB4503575\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} access rundll32.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 26 / 32
Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{B175520C-86A2-35A7-8619-86DC379688B9}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{B175520C-86A2-35A7-8619-86DC379688B9}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{ca67548a-5ebe-413a-
b50c-4b9ceb6d66c6}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{ca67548a-5ebe-413a-
b50c-4b9ceb6d66c6}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}
\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}
\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757\Uninstal lString
access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173\Uninstal lString
access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 access rundll32.exe CLEAN
Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655\Uninstal lString
access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743\Uninstal lString
access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063\Uninstal lString
access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\
{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573\Uninstall String
access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{F8CFEB22-
A2E7-3971-9EDA-4B11EDEFC185}\UninstallString access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{F8CFEB22-
A2E7-3971-9EDA-4B11EDEFC185}\DisplayName access, read rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Aut
oEnrollment access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais\Cache access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais\Current access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais\Readers access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais\SmartCards access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais\SmartCards\Identity Device (Microsoft Generic Profile) access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cal
ais\SmartCards\Identity Device (NIST SP 800-73 [PIV]) access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cat
alogDB access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cat
DBTempFiles access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Cer
tificateTemplateCache access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider access rundll32.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 28 / 32
Registry Key Operations Parent Process Name Verdict
Reduced dataset Process
Process Name Commandline Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft Base Cryptographic Provider v1.0 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def aults\Provider\Microsoft Base DSS and Diffie-Hellman Cryptographic
Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft Base DSS Cryptographic Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft Base Smart Card Crypto Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft DH SChannel Cryptographic Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft Enhanced Cryptographic Provider v1.0 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def aults\Provider\Microsoft Enhanced DSS and Diffie-Hellman
Cryptographic Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def aults\Provider\Microsoft Enhanced RSA and AES Cryptographic
Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft RSA SChannel Cryptographic Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider\Microsoft Strong Cryptographic Provider access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types\Type 001 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types\Type 003 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types\Type 012 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types\Type 013 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types\Type 018 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Def
aults\Provider Types\Type 024 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OI
D\EncodingType 0 access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OI
D\EncodingType 0\CertDllCreateCertificateChainEngine access rundll32.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OI
D\EncodingType 0\CertDllCreateCertificateChainEngine\Config access rundll32.exe CLEAN
d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe "C:\Users\kEecfMwgj\Desktop\d9f8f2a93e3e4a08e12a95410d2823ac.virus.exe" MALICIOUS
rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\KEECFM~1\Desktop\D9F8F2~1.TMP,S C:
\Users\KEECFM~1\Desktop\D9F8F2~1.EXE SUSPICIOUS
rundll32.exe C:\Windows\system32\RUNDLL32.EXE C:
\Users\KEECFM~1\Desktop\D9F8F2~1.TMP,QjUNQ0twTnBO SUSPICIOUS
rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\wininet.dll",DispatchAPICall 1 CLEAN
Process Name Commandline Verdict powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
-Executionpolicy bypass -File "C:\Users\kEecfMwgj\AppData\Local\Temp\tmpD3F7.tmp.ps1" CLEAN
nslookup.exe "C:\Windows\system32\nslookup.exe" -type=any localhost CLEAN
X-Ray Vision for Malware - www.vmray.com 30 / 32
YARA / AV
Antivirus (1)
File Type Threat Name File Name Verdict
Memory Dump Generic.Andromeda.94893D17 - MALICIOUS
ENVIRONMENT
Virtual Machine Information
Analyzer Information
Software Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d) Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021) Built-in AV Database Update Release
Date 2021-08-12 05:04:36+00:00
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04 YARA Built-in Ruleset Version 4.2.2.34
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10 Analysis Report Layout Version 10
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
