• No results found

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 18. Spyware. Classifications: Agent Tesla v3.

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 18. Spyware. Classifications: Agent Tesla v3."

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

MALICIOUS

Classifications: Spyware

Threat Names: Agent Tesla v3 Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe

ID #1571150

MD5 8f397939df9bdae7f68bdcc46c9c7355

SHA1 b45b3dae2669ba530f86bd4e96edcc45ba6b5524

SHA256 c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682

File Size 791.50 KB

Report Created 2022-02-11 08:21 (UTC+1)

Target Environment win10_64_th2_en_mso2016 | exe

(2)

OVERVIEW

VMRay Threat Identifiers (13 rules, 13 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 1 Spyware

Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe.

4/5 Defense Evasion Obscures a file's origin 1 -

(Process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe tries to delete zone identifier of file "C:

\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe".

4/5 System Modification Modifies network configuration 1 -

(Process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe modifies the host.conf file, probably to redirect network traffic.

2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -

(Process #1) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe modifies memory of (process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe.

2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -

(Process #1) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe alters context of (process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe.

1/5 Hide Tracks Creates process with hidden window 1 -

(Process #1) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe starts (process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe with a hidden window.

1/5 Obfuscation Reads from memory of another process 1 -

(Process #1) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe reads from (process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

(Process #1) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Privilege Escalation Enables process privilege 1 -

(Process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe enables process privilege "SeDebugPrivilege".

1/5 Persistence Installs system startup script or application 1 -

(Process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe adds "C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe" to Windows startup via registry.

1/5 System Modification Modifies operating system directory 1 -

(Process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe creates file "C:\Windows\system32\drivers\etc\hosts" in the OS directory.

1/5 Execution Executes itself 1 -

(Process #1) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe executes a copy of the sample at C:

\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe.

1/5 Obfuscation Resolves API functions dynamically 1 -

X-Ray Vision for Malware - www.vmray.com 2 / 18

(3)

Score Category Operation Count Classification

(Process #2) c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe resolves 50 API functions by name.

(4)

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1060 Registry Run Keys / Startup

Folder

#T1143 Hidden Window

#T1090 Connection

Proxy

#T1045 Software Packing

#T1112 Modify Registry

#T1096 NTFS File Attributes

X-Ray Vision for Malware - www.vmray.com 4 / 18

(5)

Sample Information

Analysis Information

ID #1571150

MD5 8f397939df9bdae7f68bdcc46c9c7355

SHA1 b45b3dae2669ba530f86bd4e96edcc45ba6b5524

SHA256 c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682

SSDeep 12288:3ArQ5kMCF15D9RHXnQazmuDwm0NfPpGLCGBqiBQIxHeaptGOU2emWbkVJesxRG9D:3A8TiT99XnpwZPM9BqCHx+OQnmW6xo9

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

File Name c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe

File Size 791.50 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2022-02-11 08:21 (UTC+1)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 3

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 1

(6)

X-Ray Vision for Malware - www.vmray.com 6 / 18

(7)

Screenshots truncated

(8)

NETWORK

General

DNS

HTTP/S

0 bytes total sent

0 bytes total received 0 ports

0 contacted IP addresses

0 URLs extracted 0 files downloaded

0 malicious hosts detected

0 DNS requests for 0 domains 0 nameservers contacted

0 total requests returned errors

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes received

X-Ray Vision for Malware - www.vmray.com 8 / 18

(9)

BEHAVIOR

Process Graph

Sample Start #1

c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe #2

c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe Modify Memory

Modify Control Flow Child Process

Reboot #1 #6

tkzvpq.exe

(10)

Process #1: c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe

Host Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 73158, Reason: Analysis Target Unmonitor End Time End Time: 157980, Reason: Terminated

Monitor duration 84.82s

Return Code 0

PID 3448

Parent PID 1676

Bitness 32 Bit

Module 60

Window 6

Registry 3

File 1

Process 1

- 3

- 7

X-Ray Vision for Malware - www.vmray.com 10 / 18

(11)

Process #2: c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

ID 2

File Name c:\users\rdhj0cnfevzx\desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd6f682.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 154861, Reason: Child Process Unmonitor End Time End Time: 226202, Reason: Terminated

Monitor duration 71.34s

Return Code 1073807364

PID 3696

Parent PID 3448

Bitness 32 Bit

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\c91de651908108a492c93af 5470378807f9a2cc8b9ee3de 487b816db3cd6f682.exe

0xd7c 0x400000(4194304) 0x200 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\c91de651908108a492c93af 5470378807f9a2cc8b9ee3de 487b816db3cd6f682.exe

0xd7c 0x402000(4202496) 0x35800 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\c91de651908108a492c93af 5470378807f9a2cc8b9ee3de 487b816db3cd6f682.exe

0xd7c 0x438000(4423680) 0x600 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\c91de651908108a492c93af 5470378807f9a2cc8b9ee3de 487b816db3cd6f682.exe

0xd7c 0x43a000(4431872) 0x200 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\c91de651908108a492c93af 5470378807f9a2cc8b9ee3de 487b816db3cd6f682.exe

0xd7c 0x3d4008(4014088) 0x4 1

Modify Control Flow

#1: c:

\users\rdhj0cnfevzx\desktop

\c91de651908108a492c93af 5470378807f9a2cc8b9ee3de 487b816db3cd6f682.exe

0xd7c / 0xd48 - 1

C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe 791.50 KB c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd 6f682

Module 59

Window 3

System 14

Registry 28

(12)

Type Count

User 2

- 15

File 34

COM 24

Environment 3

X-Ray Vision for Malware - www.vmray.com 12 / 18

(13)

Process #6: tkzvpq.exe

Host Behavior

Type Count

ID 6

File Name c:\users\rdhj0cnfevzx\appdata\roaming\tkzvpq\tkzvpq.exe Command Line "C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe"

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 288608, Reason: Autostart

Unmonitor End Time End Time: 320131, Reason: Terminated by Timeout

Monitor duration 31.52s

Return Code Unknown

PID 3296

Parent PID 1636

Bitness 32 Bit

Module 34

Window 4

Registry 3

File 1

(14)

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

Filename

File Name Category Operations Verdict

Registry

Registry Key Operations Parent Process Name Verdict

c91de651908108a492c93af5 470378807f9a2cc8b9ee3de4 87b816db3cd6f682

C:

\Users\RDhJ0CNFevzX\AppData\Ro aming\tKZVPq\tKZVPq.exe, C:

\Users\RDhJ0CNFevzX\Desktop\c91 de651908108a492c93af5470378807f9a 2cc8b9ee3de487b816db3cd6f682.exe

Sample File 791.50 KB application/

vnd.microsoft.portable-

executable Access, Create, Write MALICIOUS

9b13a3ea948a1071a81787a ac1930b89e30df22ce13f8ff7 51f31b5d83e79ffb

C:

\Windows\system32\drivers\etc\hosts Modified File 835 bytes text/plain Access, Create, Write CLEAN

49b3c831585d38502f59ad35 657e66a4eb909cc7a91e2ad

e35a36391e2948a4d - Embedded File 8.30 KB image/png - CLEAN

C:

\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378

807f9a2cc8b9ee3de487b816db3cd6f682.exe.config Accessed File Access CLEAN

System Paging File Accessed File Access CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co

nfig Accessed File Access, Read CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.con

fig Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\ Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq Accessed File Access, Create CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe Sample File Access, Create, Write CLEAN

C:

\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378

807f9a2cc8b9ee3de487b816db3cd6f682.exe Sample File Access CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe:Zon

e.Identifier Accessed File Delete, Access CLEAN

C:\Windows\system32\drivers\etc\hosts Modified File Access, Create, Write CLEAN

C:

\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe.conf

ig Accessed File Access CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe, tkzvpq.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg

JITDebugLaunchSetting access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe, tkzvpq.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg

ManagedDebugger access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe, tkzvpq.exe CLEAN

HKEY_PERFORMANCE_DATA access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\InstallationType access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

X-Ray Vision for Malware - www.vmray.com 14 / 18

(15)

Registry Key Operations Parent Process Name Verdict

Process

Process Name Commandline Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

AppContext access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

v4.0.30319 access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

v4.0.30319\SchUseStrongCrypto access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa

ult Impersonation Level access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa

ult Namespace access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer

sion\Run access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer

sion\Run\tKZVPq access, read, write c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current

Version\Explorer\StartupApproved\Run access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones\W. Europe Standard Time access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic

DST access c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard

Time\MUI_Display access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt access, read c91de651908108a492c93af5470378807f9a2cc8b9ee3de487

b816db3cd6f682.exe CLEAN

c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd 6f682.exe

"C:

\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3 cd6f682.exe"

MALICIOUS

c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3cd 6f682.exe

"C:

\Users\RDhJ0CNFevzX\Desktop\c91de651908108a492c93af5470378807f9a2cc8b9ee3de487b816db3

cd6f682.exe" SUSPICIOUS

tkzvpq.exe "C:\Users\RDhJ0CNFevzX\AppData\Roaming\tKZVPq\tKZVPq.exe" CLEAN

(16)

YARA / AV

YARA (1)

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Malware AgentTesla_StringDecryptio

n_v3 Agent Tesla v3 string decryption Memory Dump - Spyware 5/5

X-Ray Vision for Malware - www.vmray.com 16 / 18

(17)

ENVIRONMENT

Virtual Machine Information

Platform Information

Anti Virus Information

Software Information

System Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379) Network Scheme Name Local Gateway

Network Config Name Local Gateway

Platform Version 4.4.1

Dynamic Engine Version 4.4.1 / 01/14/2022 05:06

Static Engine Version 4.4.1.0 / 2022-01-14 04:00:58

AV Exceptions Version 4.4.1.6 / 2021-12-14 15:06:27 Link Detonation Heuristics Version 4.4.1.7 / 2021-12-15 19:11:26

Smart Memory Dumping Rules

Version 4.4.1.6 / 2021-12-14 15:06:27

Signature Trust Store Version 4.4.1.6 / 2021-12-14 15:06:27 VMRay Threat Identifiers Version 4.4.1.8 / 2022-01-07 14:24:33

YARA Built-in Ruleset Version 4.4.1.10

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release

Date 2022-02-11 02:52:46+00:00

Built-in AV Database Records 10989071

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Hangul Office Not installed

Hangul Office Version Not installed

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

Sample Directory C:\Users\RDhJ0CNFevzX\Desktop

Computer Name XC64ZB

(18)

User Domain XC64ZB

User Name RDhJ0CNFevzX

User Profile C:\Users\RDhJ0CNFevzX

Temp Directory C:\Users\RDHJ0C~1\AppData\Local\Temp

System Root C:\Windows

X-Ray Vision for Malware - www.vmray.com 18 / 18

References

Download now ( PDF - 18 Page - 1.01 MB )

Related documents

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 16. Classifications: - Mal/Generic-S.

Monitor Start Time Start Time: 115534, Reason: Child Process Unmonitor End Time End Time: 191918, Reason: Terminated by Timeout. Monitor

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 43. Classifications: Spyware Downloader Injector

(Process #6) applaunch.exe tries to detect antivirus software via WMI query: "SELECT * FROM AntivirusProduct".. (Process #5) applaunch.exe tries to detect antivirus software

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 38. Classifications: Downloader Spyware Injector

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\outlook.txt Dropped File Access, Write, Read, Create CLEAN. C:\Users\RDhJ0CNFevzX\AppData\LocalLow\hJ0aK0\ Accessed File

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 37. Classifications: Downloader Spyware

C:\Users\RDhJ0CNFevzX\AppData\LocalLow\outlook.txt Dropped File Write, Create, Access, Read CLEAN. C:\Users\RDhJ0CNFevzX\AppData\LocalLow\uS0wV5wY9qH3\ Accessed File

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 15. Spyware. Classifications:

Initial Access Execution Persistence Privilege Escalation.

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 18. Injector. Classifications:

Initial Access Execution Persistence Privilege Escalation..

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 22. Spyware. Classifications:

SHA256 File Names Category File Size MIME Type Operations

MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 26. Classifications: Spyware Downloader

Data\\Local State Accessed File Access CLEAN.