MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 38. Classifications: Downloader Spyware Injector

(1)

MALICIOUS

Classifications: Downloader Spyware Injector

Threat Names: Raccoon v1.7.2 Mal/Generic-S Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name 232fed8b22dd0e13e7d2987cb4ed4419.exe

ID #3246943

MD5 232fed8b22dd0e13e7d2987cb4ed4419

SHA1 2bedcc61bee293152d95a115ac94119057039fa2

SHA256 1cfa7d9edcfe5a277e5c7f20e702a6b2cfd652e6f812b8203f5ed8fa9070994d

File Size 1998.50 KB

Report Created 2022-01-07 15:28 (UTC+1)

Target Environment win10_64_th2_en_mso2016 | exe

(2)

OVERVIEW

VMRay Threat Identifiers (23 rules, 84 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 1 Spyware

Rule "Raccoon_1_7_2" from ruleset "Malware" has matched on a memory dump for (process #2) applaunch.exe.

•

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

Tries to read sensitive data of: Internet Explorer, Internet Explorer / Edge, Microsoft Outlook, The Bat!.

•

4/5 Injection Writes into the memory of another process 1 Injector

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe modifies memory of (process #2) applaunch.exe.

•

4/5 Injection Modifies control flow of another process 1 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe alters context of (process #2) applaunch.exe.

•

4/5 Reputation Known malicious file 1 -

Reputation analysis labels the sample itself as "Mal/Generic-S".

•

4/5 Reputation Contacts known malicious URL 1 -

(Process #2) applaunch.exe contacted known malicious URL "5.181.156.155/five51omw".

•

2/5 Anti Analysis Tries to detect virtual machine 1 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe reads out system information, commonly used to detect "VirtualBox" via registry. (Key is

"HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__").

•

2/5 Anti Analysis Tries to detect application sandbox 2 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe tries to detect "Comodo Sandbox" by checking for existence of module "cmdvrt32.dll".

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe tries to detect "Sandboxie" by checking for existence of module "SbieDll.dll".

•

2/5 Data Collection Reads sensitive mail data 2 -

(Process #2) applaunch.exe tries to read sensitive data of mail application "The Bat!" by file.

(Process #2) applaunch.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

•

2/5 Data Collection Reads sensitive browser data 3 -

(Process #2) applaunch.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.

(Process #2) applaunch.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.

(Process #2) applaunch.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

•

2/5 Hide Tracks Deletes file after execution 1 -

(Process #6) cmd.exe deletes executed executable "c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe".

•

1/5 Hide Tracks Creates process with hidden window 2 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe starts (process #2) applaunch.exe with a hidden window.

(Process #2) applaunch.exe starts (process #6) cmd.exe with a hidden window.

•

1/5 Obfuscation Reads from memory of another process 1 -

X-Ray Vision for Malware - www.vmray.com 2 / 38

(3)

Score Category Operation Count Classification

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe reads from (process #2) applaunch.exe.

•

1/5 Obfuscation Creates a page with write and execute permissions 1 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

•

1/5 Mutex Creates mutex 1 -

(Process #2) applaunch.exe creates mutex with name "RDhJ0CNFevzXjP9-mF-5jG".

•

1/5 Discovery Reads system data 1 -

(Process #2) applaunch.exe reads the cryptographic machine GUID from registry.

•

1/5 Obfuscation Resolves API functions dynamically 2 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe resolves 213 API functions by name.

(Process #2) applaunch.exe resolves 37 API functions by name.

•

1/5 Obfuscation The binary file was created with a packer 1 -

File "C:\Users\RDhJ0CNFevzX\Desktop\232fed8b22dd0e13e7d2987cb4ed4419.exe" is packed with "ASProtect v1.23 RC1".

•

1/5 Execution Drops PE file 56 -

(4)

Drops file nssdbm3.dll.

Drops file prldap60.dll.

Drops file qipcap.dll.

Drops file softokn3.dll.

Drops file ucrtbase.dll.

Drops file vcruntime140.dll.

Drops file AccessibleHandler.dll.

Drops file AccessibleMarshal.dll.

Drops file breakpadinjector.dll.

Drops file freebl3.dll.

Drops file IA2Marshal.dll.

Drops file ldap60.dll.

Drops file ldif60.dll.

Drops file lgpllibs.dll.

Drops file libEGL.dll.

Drops file MapiProxy.dll.

Drops file mozglue.dll.

Drops file mozMapi32.dll.

Drops file msvcp140.dll.

Drops file nss3.dll.

Drops file nssckbi.dll.

Drops file api-ms-win-core-namedpipe-l1-1-0.dll.

Drops file api-ms-win-core-processenvironment-l1-1-0.dll.

Drops file api-ms-win-core-processthreads-l1-1-0.dll.

Drops file api-ms-win-core-processthreads-l1-1-1.dll.

Drops file api-ms-win-core-profile-l1-1-0.dll.

Drops file api-ms-win-core-rtlsupport-l1-1-0.dll.

Drops file api-ms-win-core-string-l1-1-0.dll.

Drops file api-ms-win-core-synch-l1-1-0.dll.

Drops file api-ms-win-core-synch-l1-2-0.dll.

Drops file api-ms-win-core-sysinfo-l1-1-0.dll.

Drops file api-ms-win-core-timezone-l1-1-0.dll.

Drops file api-ms-win-core-util-l1-1-0.dll.

Drops file api-ms-win-crt-conio-l1-1-0.dll.

Drops file api-ms-win-crt-convert-l1-1-0.dll.

Drops file api-ms-win-crt-environment-l1-1-0.dll.

Drops file api-ms-win-crt-filesystem-l1-1-0.dll.

Drops file api-ms-win-crt-heap-l1-1-0.dll.

Drops file api-ms-win-crt-locale-l1-1-0.dll.

Drops file api-ms-win-crt-math-l1-1-0.dll.

Drops file api-ms-win-crt-multibyte-l1-1-0.dll.

Drops file api-ms-win-crt-private-l1-1-0.dll.

Drops file api-ms-win-crt-process-l1-1-0.dll.

Drops file api-ms-win-crt-runtime-l1-1-0.dll.

Drops file api-ms-win-crt-stdio-l1-1-0.dll.

Drops file api-ms-win-crt-string-l1-1-0.dll.

Drops file api-ms-win-crt-time-l1-1-0.dll.

Drops file api-ms-win-crt-utility-l1-1-0.dll.

Drops file api-ms-win-core-file-l1-2-0.dll.

Drops file api-ms-win-core-file-l2-1-0.dll.

Drops file api-ms-win-core-handle-l1-1-0.dll.

Drops file api-ms-win-core-heap-l1-1-0.dll.

Drops file api-ms-win-core-interlocked-l1-1-0.dll.

Drops file api-ms-win-core-libraryloader-l1-1-0.dll.

Drops file api-ms-win-core-localization-l1-2-0.dll.

Drops file api-ms-win-core-memory-l1-1-0.dll.

•

X-Ray Vision for Malware - www.vmray.com 4 / 38

(5)

Score Category Operation Count Classification

1/5 Execution Executes itself 1 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\232fed8b22dd0e13e7d2987cb4ed4419.exe.

•

1/5 Network Connection Downloads file 1 -

(Process #2) applaunch.exe downloads file via http from 185.163.204.24//l/f/PWqvMH4BZ2GIX1a3IGUb/6d58844a6006821423796d5f4bc56685942e376f.

•

1/5 Network Connection Downloads executable 1 Downloader

(Process #2) applaunch.exe downloads executable via http from 185.163.204.24//l/f/PWqvMH4BZ2GIX1a3IGUb/ee7de4c264126f5e0e96bf971f5c3c6ca0b62aaf.

•

1/5 Crash A monitored process crashed 1 -

(Process #1) 232fed8b22dd0e13e7d2987cb4ed4419.exe crashed.

•

- Trusted Known clean file 57 -

(6)

Embedded file "nssdbm3.dll" is a known clean file.

Embedded file "prldap60.dll" is a known clean file.

Embedded file "qipcap.dll" is a known clean file.

Embedded file "softokn3.dll" is a known clean file.

Embedded file "ucrtbase.dll" is a known clean file.

Embedded file "vcruntime140.dll" is a known clean file.

Embedded file "AccessibleHandler.dll" is a known clean file.

Embedded file "AccessibleMarshal.dll" is a known clean file.

Embedded file "breakpadinjector.dll" is a known clean file.

Embedded file "freebl3.dll" is a known clean file.

Embedded file "IA2Marshal.dll" is a known clean file.

Embedded file "ldap60.dll" is a known clean file.

Embedded file "ldif60.dll" is a known clean file.

Embedded file "lgpllibs.dll" is a known clean file.

Embedded file "libEGL.dll" is a known clean file.

Embedded file "MapiProxy.dll" is a known clean file.

Embedded file "mozglue.dll" is a known clean file.

Embedded file "mozMapi32.dll" is a known clean file.

Embedded file "msvcp140.dll" is a known clean file.

Embedded file "nss3.dll" is a known clean file.

Embedded file "nssckbi.dll" is a known clean file.

Embedded file "api-ms-win-core-namedpipe-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-processenvironment-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-processthreads-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-processthreads-l1-1-1.dll" is a known clean file.

Embedded file "api-ms-win-core-profile-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-rtlsupport-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-string-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-synch-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-synch-l1-2-0.dll" is a known clean file.

Embedded file "api-ms-win-core-sysinfo-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-timezone-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-util-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-conio-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-convert-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-environment-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-filesystem-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-heap-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-locale-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-math-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-multibyte-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-private-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-process-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-runtime-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-stdio-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-string-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-time-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-crt-utility-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-file-l1-2-0.dll" is a known clean file.

Embedded file "api-ms-win-core-file-l2-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-handle-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-heap-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-interlocked-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-libraryloader-l1-1-0.dll" is a known clean file.

Embedded file "api-ms-win-core-localization-l1-2-0.dll" is a known clean file.

Embedded file "api-ms-win-core-memory-l1-1-0.dll" is a known clean file.

File "C:\Users\RDhJ0CNFevzX\AppData\LocalLow\sqlite3.dll" is a known clean file.

•

X-Ray Vision for Malware - www.vmray.com 6 / 38

(7)

Score Category Operation Count Classification

- Trusted Executable has a trusted signature 18 -

Executable nssdbm3.dll has a trusted signature.

Executable prldap60.dll has a trusted signature.

Executable qipcap.dll has a trusted signature.

Executable softokn3.dll has a trusted signature.

Executable AccessibleHandler.dll has a trusted signature.

Executable AccessibleMarshal.dll has a trusted signature.

Executable breakpadinjector.dll has a trusted signature.

Executable freebl3.dll has a trusted signature.

Executable IA2Marshal.dll has a trusted signature.

Executable ldap60.dll has a trusted signature.

Executable ldif60.dll has a trusted signature.

Executable lgpllibs.dll has a trusted signature.

Executable libEGL.dll has a trusted signature.

Executable MapiProxy.dll has a trusted signature.

Executable mozglue.dll has a trusted signature.

Executable mozMapi32.dll has a trusted signature.

Executable nss3.dll has a trusted signature.

Executable nssckbi.dll has a trusted signature.

•

(8)

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1497 Virtualization/

Sandbox Evasion

#T1081 Credentials in

Files

#T1497 Virtualization/

Sandbox Evasion

#T1105 Remote File

Copy

#T1119 Automated

Collection

#T1071 Standard Application Layer Protocol

#T1143 Hidden Window

#T1214 Credentials in

Registry

#T1012 Query Registry

#T1005 Data from Local

System

#T1105 Remote File

Copy

#T1045 Software Packing

#T1003 Credential

Dumping

#T1082 System Information

Discovery

#T1027 Obfuscated

Files or Information

#T1083 File and Directory

Discovery

#T1217 Browser Bookmark Discovery

X-Ray Vision for Malware - www.vmray.com 8 / 38

(9)

Sample Information

Analysis Information

ID #3246943

MD5 232fed8b22dd0e13e7d2987cb4ed4419

SHA1 2bedcc61bee293152d95a115ac94119057039fa2

SHA256 1cfa7d9edcfe5a277e5c7f20e702a6b2cfd652e6f812b8203f5ed8fa9070994d

SSDeep 49152:f11TMbOvnRl9QwfWgSLSo+pjIyQ32pEYKn70JON5Na5kH:t1TyOvJfVonyQmpEYKn70cNrWm

ImpHash f6af73011d9ad7cbccf66eb190442910

File Name 232fed8b22dd0e13e7d2987cb4ed4419.exe

File Size 1998.50 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2022-01-07 15:28 (UTC+1)

Analysis Duration 00:04:00

Termination Reason Sample crashed

Number of Monitored Processes 6

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 3

(10)

X-Ray Vision for Malware - www.vmray.com 10 / 38

(11)

Screenshots truncated

(12)

NETWORK

General

DNS

HTTP/S

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

71.41 KB total sent

3775.90 KB total received 1 ports 80

2 contacted IP addresses

0 URLs extracted 2 files downloaded

0 malicious hosts detected

0 DNS requests for 0 domains 0 nameservers contacted

0 total requests returned errors

4 URLs contacted, 2 servers

3 sessions, 71.41 KB sent, 3775.90 KB received

GET 5.181.156.155/five51omw - - 0 bytes NA

POST 185.163.204.24/ - - 0 bytes NA

GET 185.163.204.24//l/f/PWqvMH4BZ2GIX1a3IGUb/

ee7de4c264126f5e0e96bf971f5c3c6ca0b62aaf - - 0 bytes NA

GET 185.163.204.24//l/f/PWqvMH4BZ2GIX1a3IGUb/

6d58844a6006821423796d5f4bc56685942e376f - - 0 bytes NA

X-Ray Vision for Malware - www.vmray.com 12 / 38

(13)

BEHAVIOR

Process Graph

Sample Start #1

232fed8b22dd0e13e7d2987cb4ed4419.exe

#2 applaunch.exe Modify Memory

Modify Control Flow Child Process

#3 werfault.exe Child Process

#4

232fed8b22dd0e13e7d2987cb4ed4419.exe Child Process

#6 cmd.exe

Child Process #8

timeout.exe Child Process

(14)

Process #1: 232fed8b22dd0e13e7d2987cb4ed4419.exe

Host Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\232fed8b22dd0e13e7d2987cb4ed4419.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\232fed8b22dd0e13e7d2987cb4ed4419.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 70339, Reason: Analysis Target Unmonitor End Time End Time: 162322, Reason: Crashed

Monitor duration 91.98s

Return Code 3221225477

PID 3804

Parent PID 1560

Bitness 32 Bit

Module 320

Registry 11

Keyboard 1

System 7

- 1

File 5

Process 1

Environment 1

- 3

- 9

X-Ray Vision for Malware - www.vmray.com 14 / 38

(15)

Process #2: applaunch.exe

Injection Information (3)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Dropped Files (61)

File Name File Size SHA256 YARA Match

ID 2

File Name c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe Command Line "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 119383, Reason: Child Process Unmonitor End Time End Time: 212134, Reason: Terminated

Return Code 0

PID 1880

Parent PID 3804

Bitness 32 Bit

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\232fed8b22dd0e13e7d2987 cb4ed4419.exe

0xa94 0x400000(4194304) 0x95000 1

Modify Memory

#1: c:

0xa94 0x2eb008(3059720) 0x4 1

Modify Control Flow

#1: c:

0xa94 / 0x760 0x77c08fe0(2009108448) - 1

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\sqlite3.dll 895.25 KB 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844 e5f7

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ucrtbase.dll 1115.30 KB 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ce b7a9

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

core-string-l1-1-0.dll 17.80 KB 7670fdede524a485c13b11a7c878015e9b0d441b7d8eb15ca675ad6b9c9

a7311

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\MapiProxy.dll 19.45 KB bcfb0e397df40aba8c8c5dd23c13c414345decdd3d4b2df946226be97def bf30

core-util-l1-1-0.dll 17.80 KB f7d450a0f59151bcefb98d20fcae35f76029df57138002db5651d1b6a33ad

c86 C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\AccessibleMars

hal.dll 25.45 KB d368eb240106f87188c4f2ae30db793a2d250d9344f0e0267d4f6a58e681

52ad

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\mozglue.dll 133.95 KB a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188 cc

crt-conio-l1-1-0.dll 18.80 KB 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb43

67f2

crt-process-l1-1-0.dll 18.80 KB c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa4

71e8b C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

crt-filesystem-l1-1-0.dll 19.80 KB 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018

ed2

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\qipcap.dll 15.95 KB 7a589024cf0eeb59f020f91be4fe7ee0c90694c92918a467d5277574ac25 a5a2

core-processenvironment-l1-1-0.dll 18.80 KB 96898930ffb338da45497be019ae1adcd63c5851141169d3023e53ce4c7 a483e

(16)

File Name File Size SHA256 YARA Match C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

crt-stdio-l1-1-0.dll 23.80 KB b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff

0df7

core-handle-l1-1-0.dll 17.80 KB 945cc64ee04b1964c1f9fcdc3124dd83973d332f5cfb696cdf128ca5c4cbd

0e5

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\msvcp140.dll 429.80 KB 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e1 3d4

core-localization-l1-2-0.dll 20.30 KB 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5

d97

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\breakpadinjector.

dll 114.95 KB 87ed943d2f06d9ca8824789405b412e770fe84454950ec7e96105f756d85

8e52

core-synch-l1-2-0.dll 18.30 KB 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a

3dad1 C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

crt-heap-l1-1-0.dll 18.80 KB f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a

113d

core-libraryloader-l1-1-0.dll 18.30 KB bb25ccf8694d1fcfce85a7159dcf6985fdb54728d29b021cb3d14242f6590

9ce

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\IA2Marshal.dll 68.95 KB 621f38bd19f62c9ce6826d492ecdf710c00bbdcf1fb4e4815883f29f1431df da

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\nss3.dll 1215.95 KB 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f17 53d5

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\prldap60.dll 23.45 KB 46b005817868f91cf60baa052ee96436fc6194ce9a61e93260df5037cdfa3 7a5

crt-time-l1-1-0.dll 20.30 KB 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a91

9cb5d

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\AccessibleHandl

er.dll 120.45 KB a1a2bb03a7cfcea8944845a8fc12974482f44b44fd20be73298ffd630f65d8

d0

crt-private-l1-1-0.dll 71.30 KB 65ded8d2ce159b2f5569f55b2caf0e2c90f3694bd88c89de790a15a49d83

86b9

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\mozMapi32.dll 81.45 KB 06ef2010b738fbe99bcdebbf162473a4ee090678bb6862eeb0d4c7a8c3f2 25bb

core-interlocked-l1-1-0.dll 17.44 KB deccd75fc3fc2bb31338b6fe26deffbd7914c6cd6a907e76fd4931b7d1417

18c

core-rtlsupport-l1-1-0.dll 17.30 KB 2257fea1e71f7058439b3727ed68ef048bd91dcacd64762eb5c64a9d49df

0b57

crt-convert-l1-1-0.dll 21.80 KB 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58

e44d1

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\nssckbi.dll 328.45 KB 2481da1c459a2429a933d19ad6ae514bd2ae59818246ddb67b0ef44146c ed3d8

core-memory-l1-1-0.dll 18.30 KB bb33a9e906a5863043753c44f6f8165afe4d5edb7e55efa4c7e6e1ed9077

8eca

core-profile-l1-1-0.dll 17.30 KB 8eb5270fa99069709c846db38be743a1a80a42aa1a88776131f79e1d07c

c411c C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

core-namedpipe-l1-1-0.dll 17.80 KB c4f60f911068ab6d7f578d449ba7b5b9969f08fc683fd0ce8e2705bbf061f5

07

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ldap60.dll 128.95 KB 2b128b3702f8509f35cad0d657c9a00f0487b93d70336df229f8588fba6ba 926

crt-multibyte-l1-1-0.dll 25.80 KB 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa71

6735

core-heap-l1-1-0.dll 17.80 KB 44f6df4280c8ecc9c6e609b1a4bfee041332d337d84679cfe0d6678ce8f29

98a C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

core-file-l1-2-0.dll 17.80 KB c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8

a03

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ldif60.dll 19.95 KB 3aabbe0aa86ce8a91e5c49b7de577af73b9889d7f03af919f17f3f315a879 b0f

crt-environment-l1-1-0.dll 18.30 KB c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a6

1382

X-Ray Vision for Malware - www.vmray.com 16 / 38

(17)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

crt-locale-l1-1-0.dll 18.30 KB 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b9605

1c33

crt-runtime-l1-1-0.dll 22.30 KB c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648

ea60b C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\vcruntime140.dll 81.82 KB c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c 14d

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\nssdbm3.dll 90.45 KB be3987a6cd970ff570a916774eb3d4e1edce675e70edac1baf5e21046856 10b0

crt-math-l1-1-0.dll 28.30 KB bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185d

cfed

core-file-l2-1-0.dll 17.80 KB c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f8

27719

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\lgpllibs.dll 54.45 KB 7f93b70257d966ea1c1a6038892b19e8360aadd8e8ae58e75ebb0697b9e a8786

core-processthreads-l1-1-1.dll 18.30 KB 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265

a6a

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\libEGL.dll 21.95 KB 7b9fc6be34f43d39471c2add872d5b4350853db11cc66a323ef9e0c23154 2fb9

crt-string-l1-1-0.dll 22.94 KB 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a084

50c C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

crt-utility-l1-1-0.dll 18.30 KB a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1

b9a2b0

core-synch-l1-1-0.dll 19.80 KB 5dd4ccd63e6ed07ca3987ab5634ca4207d69c47c2544dfefc4193561765

2820f

core-timezone-l1-1-0.dll 17.80 KB 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba

59eca C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

core-processthreads-l1-1-0.dll 18.94 KB 9dab884071b1f7d7a167f9bec94ba2bee875e3365603fa29b31de286c6a9

7a1d

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\softokn3.dll 141.45 KB 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b6 51871

core-sysinfo-l1-1-0.dll 18.80 KB 4b704b36e1672ae02e697efd1bf46f11b42d776550ba34a90cd189f6c5c6

1f92

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\freebl3.dll 326.45 KB 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032 da97

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\kG5qO5.zip 2762.03 KB 4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55 ee97

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\outlook.txt 134 bytes 33897c27a1f9608d3f7f99c801fa58039911fa834c475d9b949baa3fc2d11 4d8

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\kO1-vQ-9wU 931 bytes 660191ed5a4736c04d52641d139f75f0a04c221f03ffcb3a10c1f17c53082 5ac

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\jYcrYqxP9Dw.zip 916 bytes 22005ce8de0703b47d5de4e7aebf90cd911bba76a33ba98cfbae828f6c90 1dd1

Module 66

File 10652

System 36

Environment 50

User 4

Mutex 2

Process 1

Registry 1022

COM 1

(18)

Type Count

Network Behavior

Type Count

- 138

HTTP 5

TCP 3

X-Ray Vision for Malware - www.vmray.com 18 / 38

(19)

Process #3: werfault.exe

ID 3

File Name c:\windows\syswow64\werfault.exe

Command Line C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 432

Initial Working Directory C:\Windows\system32\

Return Code 0

PID 548

Parent PID 3804

Bitness 32 Bit

(20)

Process #4: 232fed8b22dd0e13e7d2987cb4ed4419.exe

ID 4

File Name c:\users\rdhj0cnfevzx\desktop\232fed8b22dd0e13e7d2987cb4ed4419.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\232fed8b22dd0e13e7d2987cb4ed4419.exe"

Initial Working Directory C:\Windows\

Return Code 259

PID 3116

Parent PID 3804

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 20 / 38

(21)

Process #6: cmd.exe

Host Behavior

Type Count

ID 6

File Name c:\windows\syswow64\cmd.exe

Command Line cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\AppData\LocalLow\

Return Code 0

PID 952

Parent PID 1880

Bitness 32 Bit

Module 8

Registry 17

File 43

Environment 19

System 1

Process 1

(22)

Process #8: timeout.exe

Host Behavior

Type Count

ID 8

File Name c:\windows\syswow64\timeout.exe

Command Line timeout /T 10 /NOBREAK

Initial Working Directory C:\Users\RDhJ0CNFevzX\AppData\LocalLow\

Return Code 0

PID 2860

Parent PID 952

Bitness 32 Bit

Module 2

System 177

File 69

X-Ray Vision for Malware - www.vmray.com 22 / 38

(23)

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

1cfa7d9edcfe5a277e5c7f20e 702a6b2cfd652e6f812b8203f 5ed8fa9070994d

C:

\Users\RDhJ0CNFevzX\Desktop\232f

ed8b22dd0e13e7d2987cb4ed4419.exe Sample File 1998.50 KB

application/

vnd.microsoft.portable-

executable Access MALICIOUS

33897c27a1f9608d3f7f99c80 1fa58039911fa834c475d9b9 49baa3fc2d114d8

mails/outlook.txt, C:

\Users\RDhJ0CNFevzX\AppData\Loc

alLow\outlook.txt, outlook.txt Dropped File 134 bytes text/plain Access, Write, Read, Create CLEAN

be3987a6cd970ff570a91677 4eb3d4e1edce675e70edac1 baf5e2104685610b0

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\nssdbm3.dll, nssdbm3.dll

Embedded File 90.45 KB application/

vnd.microsoft.portable- executable

Access, Write, Create,

Delete ^CLEAN

46b005817868f91cf60baa05 2ee96436fc6194ce9a61e932 60df5037cdfa37a5

C:

alLow\hJ0aK0\prldap60.dll, prldap60.dll Embedded File 23.45 KB application/

Delete ^CLEAN

7a589024cf0eeb59f020f91be 4fe7ee0c90694c92918a467d 5277574ac25a5a2

C:

alLow\hJ0aK0\qipcap.dll, qipcap.dll Embedded File 15.95 KB application/

Delete ^CLEAN

25a4dae37120426ab060ebb 39b7030b3e7c1093cc34b08 77f223b6843b651871

softokn3.dll, C:

alLow\hJ0aK0\softokn3.dll Embedded File 141.45 KB

application/

Delete ^CLEAN

0bb8c77de80acf9c43de59a8 fd75e611cc3eb8200c69f11e 94389e8af2ceb7a9

C:

alLow\hJ0aK0\ucrtbase.dll, ucrtbase.dll Embedded File 1115.30 KB application/

Delete ^CLEAN

c40bb03199a2054dabfc7a8e 01d6098e91de7193619effbd 0f142a7bf031c14d

vcruntime140.dll, C:

alLow\hJ0aK0\vcruntime140.dll Embedded File 81.82 KB application/

Delete ^CLEAN

a1a2bb03a7cfcea8944845a8 fc12974482f44b44fd20be732 98ffd630f65d8d0

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\AccessibleHandler.dll, AccessibleHandler.dll

Delete ^CLEAN

d368eb240106f87188c4f2ae 30db793a2d250d9344f0e026 7d4f6a58e68152ad

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\AccessibleMarshal.dll, AccessibleMarshal.dll

Delete ^CLEAN

87ed943d2f06d9ca88247894 05b412e770fe84454950ec7e 96105f756d858e52

breakpadinjector.dll, C:

alLow\hJ0aK0\breakpadinjector.dll Embedded File 114.95 KB application/

Delete ^CLEAN

9876c53134dbbec4dcca675 81f53638eba3fea3a15491aa 3cf2526b71032da97

freebl3.dll, C:

alLow\hJ0aK0\freebl3.dll Embedded File 326.45 KB application/

Delete ^CLEAN

621f38bd19f62c9ce6826d49 2ecdf710c00bbdcf1fb4e4815 883f29f1431dfda

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\IA2Marshal.dll, IA2Marshal.dll

Delete ^CLEAN

2b128b3702f8509f35cad0d6 57c9a00f0487b93d70336df2 29f8588fba6ba926

ldap60.dll, C:

alLow\hJ0aK0\ldap60.dll Embedded File 128.95 KB application/

Delete ^CLEAN

3aabbe0aa86ce8a91e5c49b 7de577af73b9889d7f03af919 f17f3f315a879b0f

ldif60.dll, C:

alLow\hJ0aK0\ldif60.dll Embedded File 19.95 KB application/

Delete ^CLEAN

7f93b70257d966ea1c1a6038 892b19e8360aadd8e8ae58e 75ebb0697b9ea8786

lgpllibs.dll, C:

alLow\hJ0aK0\lgpllibs.dll Embedded File 54.45 KB application/

Delete ^CLEAN

7b9fc6be34f43d39471c2add 872d5b4350853db11cc66a3 23ef9e0c231542fb9

libEGL.dll, C:

alLow\hJ0aK0\libEGL.dll Embedded File 21.95 KB application/

Delete ^CLEAN

bcfb0e397df40aba8c8c5dd2 3c13c414345decdd3d4b2df9 46226be97defbf30

MapiProxy_InUse.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\MapiProxy_InUse.dll, MapiProxy.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\MapiProxy.dll

Delete ^CLEAN

a0c6630d4012ae0311ff40f4f 06911bcf1a23f7a4762ce219 b8dffa012d188cc

C:

alLow\hJ0aK0\mozglue.dll, mozglue.dll Embedded File 133.95 KB application/

Delete ^CLEAN

(24)

06ef2010b738fbe99bcdebbf1 62473a4ee090678bb6862ee b0d4c7a8c3f225bb

mozMapi32.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\mozMapi32_InUse.dll, mozMapi32_InUse.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\mozMapi32.dll

Delete ^CLEAN

334e69ac9367f708ce601a6f 490ff227d6c20636da5222f14 8b25831d22e13d4

msvcp140.dll, C:

alLow\hJ0aK0\msvcp140.dll Embedded File 429.80 KB application/

Delete ^CLEAN

1989526553fd1e1e49b0fea8 036822ca062d3d39c4cab4a 37846173d0f1753d5

C:

alLow\hJ0aK0\nss3.dll, nss3.dll Embedded File 1215.95 KB application/

Delete ^CLEAN

2481da1c459a2429a933d19 ad6ae514bd2ae59818246dd b67b0ef44146ced3d8

C:

alLow\hJ0aK0\nssckbi.dll, nssckbi.dll Embedded File 328.45 KB

application/

Delete ^CLEAN

c4f60f911068ab6d7f578d449 ba7b5b9969f08fc683fd0ce8e 2705bbf061f507

api-ms-win-core-namedpipe-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- namedpipe-l1-1-0.dll

Delete ^CLEAN

96898930ffb338da45497be0 19ae1adcd63c5851141169d 3023e53ce4c7a483e

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- processenvironment-l1-1-0.dll, api- ms-win-core-processenvironment- l1-1-0.dll

Delete ^CLEAN

9dab884071b1f7d7a167f9be c94ba2bee875e3365603fa29 b31de286c6a97a1d

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- processthreads-l1-1-0.dll, api-ms-win- core-processthreads-l1-1-0.dll

Delete ^CLEAN

91eeb842973495deb98cef03 77240d2f9c3d370ac4cf513fd 215857e9f265a6a

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- processthreads-l1-1-1.dll, api-ms-win- core-processthreads-l1-1-1.dll

Delete ^CLEAN

8eb5270fa99069709c846db3 8be743a1a80a42aa1a88776 131f79e1d07cc411c

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- profile-l1-1-0.dll, api-ms-win-core- profile-l1-1-0.dll

Delete ^CLEAN

2257fea1e71f7058439b3727 ed68ef048bd91dcacd64762e b5c64a9d49df0b57

api-ms-win-core-rtlsupport-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- rtlsupport-l1-1-0.dll

Delete ^CLEAN

7670fdede524a485c13b11a7 c878015e9b0d441b7d8eb15 ca675ad6b9c9a7311

api-ms-win-core-string-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-string- l1-1-0.dll

Delete ^CLEAN

5dd4ccd63e6ed07ca3987ab 5634ca4207d69c47c2544dfe fc41935617652820f

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-synch- l1-1-0.dll, api-ms-win-core-synch- l1-1-0.dll

Delete ^CLEAN

30d99ce1d732f6c9cf82671e 1d9088aa94e720382066b79 175e2d16778a3dad1

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-synch- l1-2-0.dll, api-ms-win-core-synch- l1-2-0.dll

Embedded File 18.30 KB

application/

Delete ^CLEAN

4b704b36e1672ae02e697efd 1bf46f11b42d776550ba34a9 0cd189f6c5c61f92

api-ms-win-core-sysinfo-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- sysinfo-l1-1-0.dll

Delete ^CLEAN

24c9aa0b70e557a49dac159 c825a013a71a190df5e7a837 bfa047a06bba59eca

api-ms-win-core-timezone-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- timezone-l1-1-0.dll

Delete ^CLEAN

f7d450a0f59151bcefb98d20f cae35f76029df57138002db5 651d1b6a33adc86

api-ms-win-core-util-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-util- l1-1-0.dll

Delete ^CLEAN

X-Ray Vision for Malware - www.vmray.com 24 / 38

(25)

SHA256 File Names Category File Size MIME Type Operations Verdict 9ca21763c528584bdb4efebe

914faaf792c9d7360677c87e 93bd7ba7bb4367f2

api-ms-win-crt-conio-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-conio- l1-1-0.dll

Delete ^CLEAN

3cc1377d495260c380e8d22 5e5ee889cbb2ed22e79862d 4278cfa898e58e44d1

api-ms-win-crt-convert-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-convert- l1-1-0.dll

Delete ^CLEAN

c0d75d1887c32a1b1006b3cf fc29df84a0d73c435cdcb404 b6964be176a61382

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt- environment-l1-1-0.dll, api-ms-win- crt-environment-l1-1-0.dll

Delete ^CLEAN

7633774effe7c0add6752ffe9 0104d633fc8262c87871d096 c2fc07c20018ed2

api-ms-win-crt-filesystem-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt- filesystem-l1-1-0.dll

Delete ^CLEAN

f5cf623ba14b017af4aec6c15 eee446c647ab6d2a5dee9d6 975adc69994a113d

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-heap- l1-1-0.dll, api-ms-win-crt-heap- l1-1-0.dll

Embedded File 18.80 KB

application/

Delete ^CLEAN

565a2eec5449eeeed68b430f 2e9b92507f979174f9c9a71d 0c36d58b96051c33

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-locale- l1-1-0.dll, api-ms-win-crt-locale- l1-1-0.dll

Delete ^CLEAN

bece7bab83a5d0ec5c35f084 1cbbf413e01ac878550fbdb3 4816ed55185dcfed

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-math- l1-1-0.dll, api-ms-win-crt-math- l1-1-0.dll

Delete ^CLEAN

66abf3a1147751c95689f5bc 6a259e55281ec3d06d3332d d0ba464effa716735

api-ms-win-crt-multibyte-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt- multibyte-l1-1-0.dll

Delete ^CLEAN

65ded8d2ce159b2f5569f55b 2caf0e2c90f3694bd88c89de 790a15a49d8386b9

api-ms-win-crt-private-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-private- l1-1-0.dll

Delete ^CLEAN

c03124ba691b187917ba790 78c66e12cbf5387a37412030 70ba23980aa471e8b

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt- process-l1-1-0.dll, api-ms-win-crt- process-l1-1-0.dll

Delete ^CLEAN

c9bbc07a033bab6a828ecc3 0648b501121586f6f53346b1 cd0649d7b648ea60b

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-runtime- l1-1-0.dll, api-ms-win-crt-runtime- l1-1-0.dll

Delete ^CLEAN

b1e702b840aebe2e9244cd4 1512d158a43e6e9516cd201 5a84eb962fa3ff0df7

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-stdio- l1-1-0.dll, api-ms-win-crt-stdio- l1-1-0.dll

Delete ^CLEAN

73cc56f20268bfb329ccd891 822e2e70dd70fe21fc7101de b3fa30c34a08450c

api-ms-win-crt-string-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-string- l1-1-0.dll

Delete ^CLEAN

69885fd581641b4a680846f9 3c2dd21e5dd8e3ba3740978 3bc5b3160a919cb5d

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-time- l1-1-0.dll, api-ms-win-crt-time- l1-1-0.dll

Delete ^CLEAN

a1d1d6b0cb0a8421d7c0d12 97c4c389c95514493cd0a38 6b49dc517ac1b9a2b0

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-crt-utility- l1-1-0.dll, api-ms-win-crt-utility- l1-1-0.dll

Delete ^CLEAN

c8c499b012d0d63b7afc8b4c a42d6d996b2fcf2e8b5f94cac fbec9e6f33e8a03

api-ms-win-core-file-l1-2-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-file- l1-2-0.dll

Delete ^CLEAN

(26)

Filename

File Name Category Operations Verdict

c85dc081b1964b77d289aac 43cc64746e7b141d036f248a 731601eb98f827719

api-ms-win-core-file-l2-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-file- l2-1-0.dll

Delete ^CLEAN

945cc64ee04b1964c1f9fcdc 3124dd83973d332f5cfb696c df128ca5c4cbd0e5

api-ms-win-core-handle-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- handle-l1-1-0.dll

Delete ^CLEAN

44f6df4280c8ecc9c6e609b1 a4bfee041332d337d84679cf e0d6678ce8f2998a

api-ms-win-core-heap-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core-heap- l1-1-0.dll

Delete ^CLEAN

deccd75fc3fc2bb31338b6fe2 6deffbd7914c6cd6a907e76fd 4931b7d141718c

api-ms-win-core-interlocked-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- interlocked-l1-1-0.dll

Delete ^CLEAN

bb25ccf8694d1fcfce85a7159 dcf6985fdb54728d29b021cb 3d14242f65909ce

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- libraryloader-l1-1-0.dll, api-ms-win- core-libraryloader-l1-1-0.dll

Delete ^CLEAN

03ad57c24ff2cf895b5f533f0e cbd10266fd8634c6b9053cc9 cb33b814ad5d97

api-ms-win-core-localization- l1-2-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- localization-l1-2-0.dll

Delete ^CLEAN

bb33a9e906a5863043753c4 4f6f8165afe4d5edb7e55efa4 c7e6e1ed90778eca

api-ms-win-core-memory-l1-1-0.dll, C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\api-ms-win-core- memory-l1-1-0.dll

Delete ^CLEAN

22005ce8de0703b47d5de4e 7aebf90cd911bba76a33ba98 cfbae828f6c901dd1

C:

alLow\jYcrYqxP9Dw.zip Dropped File 916 bytes application/zip Access, Write, Create,

Delete, Read ^CLEAN

660191ed5a4736c04d52641 d139f75f0a04c221f03ffcb3a1 0c1f17c530825ac

System Info.txt, C:

alLow\kO1-vQ-9wU Embedded File 931 bytes text/plain Access, Write, Create,

83bc57dcf282264f2b00c21c e0339eac20fcb7401f7c5472 c0cd0c014844e5f7

C:

alLow\sqlite3.dll Downloaded File 895.25 KB application/

Delete ^CLEAN

4cfada7eb51a6c0cb26283f9 c86784b2b2587c59c46a5d3 dc0f06cad2c55ee97

C:

\Users\RDhJ0CNFevzX\AppData\Loc alLow\hJ0aK0\kG5qO5.zip

Downloaded File 2762.03 KB application/zip Access, Write, Create,

C:

\Users\RDhJ0CNFevzX\Desktop\232fed8b22dd0e13e7d2987cb4ed44

19.exe Sample File Access CLEAN

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Accessed File Access, Delete CLEAN

System Paging File Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Binance Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\1password Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\bitwarden\data.json Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\atomic Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Daedalus Mainnet Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Electrum\wallets Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Electrum-LTC\wallets Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ElectronCash\wallets Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\exodus Accessed File Access CLEAN

X-Ray Vision for Malware - www.vmray.com 26 / 38

(27)

C:\Users\RDhJ0CNFevzX\AppData\Local\Blockstream\Green Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Guarda Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\com.liberty.jaxx Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Jaxx Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\MyMonero Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\Documents\Monero\wallets Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\WalletWasabi\Client Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Ledger Live Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\sqlite3.dll Downloaded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Opera Software Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0 Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\nss3.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\kG5qO5.zip Downloaded File Access, Write, Create,

C:\Users\RDhJ0CNFevzX\AppData\Roaming\discord Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\outlook.txt Dropped File Access, Write, Read, Create CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\nssdbm3.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\prldap60.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\qipcap.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\softokn3.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ucrtbase.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\vcruntime140.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\AccessibleHandl

er.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\AccessibleMars

hal.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\breakpadinjector.

dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\freebl3.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\IA2Marshal.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ldap60.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ldif60.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\lgpllibs.dll Embedded File Access, Write, Create,

Delete ^CLEAN

(28)

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\libEGL.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\MapiProxy.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\MapiProxy_InUs e.dll

Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\mozglue.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\mozMapi32.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\mozMapi32_InU

se.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\msvcp140.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\nssckbi.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-namedpipe-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-processenvironment-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-processthreads-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-processthreads-l1-1-1.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-profile-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-rtlsupport-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-string-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-synch-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-synch-l1-2-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-sysinfo-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-timezone-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-util-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-conio-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-convert-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-environment-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-filesystem-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-heap-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-locale-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-math-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-multibyte-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

X-Ray Vision for Malware - www.vmray.com 28 / 38

(29)

File Name Category Operations Verdict C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\api-ms-win-

crt-private-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-process-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-runtime-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-stdio-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-string-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-time-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

crt-utility-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-file-l1-2-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-file-l2-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-handle-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-heap-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-interlocked-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-libraryloader-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-localization-l1-2-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

core-memory-l1-1-0.dll Embedded File Access, Write, Create,

Delete ^CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\kO1-vQ-9wU Dropped File, Embedded File Access, Write, Create,

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\firefox_urls.txt Accessed File Access, Delete CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\chrome_urls.txt Accessed File Access, Delete CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\ie_autofill.txt Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\ie_ftp_data.txt Accessed File Access, Delete CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\thunderbird.txt Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\foxmail.temp Accessed File Access, Delete CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Bither\address.db Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\discord_files\ Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\bitwarden\data.json Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\_1password Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\jYcrYqxP9Dw.zip Dropped File Access, Write, Create,

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\CC.txt Accessed File Access, Delete CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\oK9mM1 Accessed File Access, Delete CLEAN

C:\Windows\SysWOW64\cmd.exe Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\LocalLow Accessed File Access CLEAN

Nul Accessed File Access, Create CLEAN