0% found this document useful (0 votes)

22 views45 pages

Report

The dynamic analysis report identifies the sample 'SecuriteInfo.com.Win64.MalwareX-gen.7213.10695.exe' as spyware, with threat names including Lumma and Mal/HTMLGen-A. The analysis reveals significant data collection activities, including reading browser memory and extracting Lumma configurations, along with multiple reputation warnings for malicious URLs. Additionally, the sample employs various techniques to evade detection and analyze system properties, indicating a high level of sophistication in its malicious behavior.

Uploaded by

fadouse666

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

22 views45 pages

Report

Uploaded by

fadouse666

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 45

DYNAMIC ANALYSIS REPORT

#22574627

Classifications: Spyware

MALICIOUS Threat Names: Lumma C2/Generic-A Mal/HTMLGen-A

Verdict Reason: -

Sample Type Windows Exe (x86-64)

File Name SecuriteInfo.com.Win64.MalwareX-gen.7213.10695.exe

ID #11579424

MD5 162d8c383d950b03cb90542ebc6bc59b

SHA1 e6336cffb13da369a318b72d99b48eb510f529b0

SHA256 10c874fb42cf4058d85898bb0490f0495980f17bd869caba738b25d2680e6d7e

File Size 31211.50 KB

Report Created 2024-10-18 18:34 (UTC+2)

Target Environment windows 10 (64bit TH2 -EN- MSO_2016) | exe

X-Ray Vision for Malware - www.vmray.com 1 / 45

DYNAMIC ANALYSIS REPORT
#22574627

OVERVIEW
VMRay Threat Identifiers (19 rules, 174 matches)

Score Category Operation Count Classification

5/5 Data Collection Reads a significant portion of browser memory 1 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads memory of browser process iexplore.exe.

5/5 YARA Malicious content matched by YARA rules 1 Spyware

• YARA detected "Lumma_v4_May2024" from ruleset "Malware" in memory dump data from (process #6) steamupdater.exe.

5/5 Extracted Configuration Lumma configuration was extracted 1 Spyware

• A configuration for Lumma was extracted from artifacts of the dynamic analysis.

5/5 Anti Analysis Makes indirect system call to possibly evade hooking based monitoring 8 -

• (Process #6) steamupdater.exe makes an indirect system call to "NtOpenFile".

• (Process #6) steamupdater.exe makes an indirect system call to "NtSetInformationProcess".

• (Process #6) steamupdater.exe makes an indirect system call to "NtUnmapViewOfSection".

• (Process #6) steamupdater.exe makes an indirect system call to "NtClose".

• (Process #6) steamupdater.exe makes an indirect system call to "NtQueryInformationFile".

• (Process #6) steamupdater.exe makes an indirect system call to "NtOpenSection".

• (Process #6) steamupdater.exe makes an indirect system call to "NtMapViewOfSection".

• (Process #6) steamupdater.exe makes an indirect system call to "NtReadFile".

4/5 Reputation Malicious host or URL detected via reputation 19 -

• Reputation analysis labels the URL "hxxps://steamcommunity[.]com/profiles/76561199724331900" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://worthsuwqp[.]shop/api" which was contacted by (process #6) steamupdater.exe as C2/Generic-A.

• Reputation analysis labels the URL "hxxps://chickerkuso[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://achievenmtynwjq[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://puredoffustow[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://opponnentduei[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://metallygaricwo[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://milldymarskwom[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://quotamkdsdqo[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the URL "hxxps://carrtychaintnyw[.]shop/api" which was contacted by (process #6) steamupdater.exe as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "chickerkuso.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "puredoffustow.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "metallygaricwo.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "quotamkdsdqo.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "milldymarskwom.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "achievenmtynwjq.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "carrtychaintnyw.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "opponnentduei.shop" as Mal/HTMLGen-A.

• Reputation analysis labels the resolved domain "worthsuwqp.shop" as C2/Generic-A.

3/5 Defense Evasion Tries to detect the presence of antivirus software 2 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe tries to detect antivirus software via WMI query: "SELECT displayName FROM AntiVirusProduct".

• (Process #19) sppextcomobj.exe tries to detect antivirus software via WMI query: "SELECT displayName FROM AntiVirusProduct".

X-Ray Vision for Malware - www.vmray.com 2 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Score Category Operation Count Classification

2/5 Discovery Collects hardware properties 4 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe queries hardware properties via WMI: SELECT * FROM Win32_Processor.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe queries hardware properties via WMI: SELECT Name FROM Win32_VideoController.

• (Process #19) sppextcomobj.exe queries hardware properties via WMI: SELECT * FROM Win32_Processor.

• (Process #19) sppextcomobj.exe queries hardware properties via WMI: SELECT Name FROM Win32_VideoController.

2/5 Discovery Queries OS version via WMI 2 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe queries OS version via WMI query: SELECT ProductType FROM Win32_OperatingSystem.

• (Process #19) sppextcomobj.exe queries OS version via WMI query: SELECT ProductType FROM Win32_OperatingSystem.

2/5 Discovery Enumerates running processes 2 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe enumerates running processes via WMI query SELECT Name FROM Win32_Process.

• (Process #19) sppextcomobj.exe enumerates running processes via WMI query SELECT Name FROM Win32_Process.

2/5 Anti Analysis Tries to detect debugger 2 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe tries to detect a debugger via API "NtQueryInformationProcess".

• (Process #6) steamupdater.exe tries to detect a debugger via API "CheckRemoteDebuggerPresent".

1/5 Obfuscation Reads from memory of another process 100 -

X-Ray Vision for Malware - www.vmray.com 3 / 45

DYNAMIC ANALYSIS REPORT
#22574627

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from System.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from smss.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from wininit.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from winlogon.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from throughout.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from shellexperiencehost.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from some-management-baby.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from anything nature die.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from services.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from lsass.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from svchost.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from (process #9) svchost.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from (process #2) svchost.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from spoolsv.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from sihost.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from 3dftp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from absolutetelnet.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from alftp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from education_stand.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from meet-our-investment.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from barca.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from bitkinex.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from common over.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from runtimebroker.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from explorer.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from coreftp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from far.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from sectionlandpast.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from taskhostw.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from ok top.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from show never character.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from filezilla.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from flashfxp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from fling.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from drive_particularly_next.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from agency.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from forceson.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from foxmailincmail.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from gmailnotifierpro.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from let sense right.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from interesting.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from whatsapp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from icq.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from mxslipstream.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from winscp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from leechftp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from ncftp.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from omnipos.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from spcwin.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from yahoomessenger.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from active-charge.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from operamail.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from outlook.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from spgagentservice.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from utg2.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from accupos.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from afr38.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from notepad.exe.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe reads from pidgin.exe.

X-Ray Vision for

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe Malware
reads - www.vmray.com
from scriptftp.exe. 4 / 45
DYNAMIC ANALYSIS REPORT
#22574627

Score Category Operation Count Classification

1/5 Discovery Possibly does reconnaissance 2 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe tries to gather information about application "Mozilla Firefox" by file.

• (Process #19) sppextcomobj.exe tries to gather information about application "Mozilla Firefox" by file.

1/5 Discovery Executes WMI query 18 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM Win32_PortConnector.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM CIM_Memory.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM CIM_PhysicalConnector.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM CIM_Slot.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM Win32_SMBIOSMemory.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM Win32_MemoryArray.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM Win32_MemoryDevice.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM Win32_PhysicalMemory.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe executes WMI query: SELECT * FROM Win32_CacheMemory.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM Win32_PortConnector.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM CIM_Memory.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM CIM_PhysicalConnector.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM CIM_Slot.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM Win32_SMBIOSMemory.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM Win32_MemoryArray.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM Win32_MemoryDevice.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM Win32_PhysicalMemory.

• (Process #19) sppextcomobj.exe executes WMI query: SELECT * FROM Win32_CacheMemory.

1/5 Privilege Escalation Enables process privileges 1 -

• (Process #3) wmiprvse.exe enables process privilege "SeDebugPrivilege".

1/5 Hide Tracks Creates process with hidden window 6 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe starts (process #6) steamupdater.exe with a hidden window.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe starts (process #7) powershell.exe with a hidden window.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe starts (process #11) cmd.exe with a hidden window.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe starts (process #14) cmd.exe with a hidden window.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe starts (process #16) cmd.exe with a hidden window.

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe starts (process #19) sppextcomobj.exe with a hidden window.

1/5 Persistence Installs system startup script or application 1 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe adds "1099466887" to Windows startup via registry.

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #6) steamupdater.exe resolves 38 API functions by name.

1/5 Execution Drops PE file 1 -

• (Process #1) securiteinfo.com.win64.malwarex-gen.7213.10695.exe drops file "C:\ProgramData\Documents_2\Videos_3\SppExtComObj.exe".

1/5 Execution Executes dropped PE file 2 -

• Executes dropped file "C:\Users\RDHJ0C~1\AppData\Local\Temp\SteamUpdater.exe".

• Executes dropped file "C:\ProgramData\Documents_2\Videos_3\SppExtComObj.exe".

X-Ray Vision for Malware - www.vmray.com 5 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Score Category Operation Count Classification

- Trusted Known clean file 6 -

• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cc38888a-7080-4220-9b7d-de7a9b2167ba" is a
known clean file.

• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3" is a
known clean file.

• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6de40067-cd2a-4666-8cd9-870e0a588215" is a
known clean file.

• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe77092-4798-42ae-bda5-e7f822b580e9" is a
known clean file.

• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb" is a
known clean file.

• File "C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_da21122d-ae44-4f93-ba1d-c9a978ca5b20" is a
known clean file.

X-Ray Vision for Malware - www.vmray.com 6 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Malware Configuration: Lumma

Metadata Key Extracted Value

Mission ID Value QxiMJI--

Url quotamkdsdqo.shop

Url milldymarskwom.shop

Url metallygaricwo.shop

Url chickerkuso.shop

URL Url puredoffustow.shop

Url achievenmtynwjq.shop

Url opponnentduei.shop

Url carrtychaintnyw.shop

Url worthsuwqp.shop

X-Ray Vision for Malware - www.vmray.com 7 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Mitre ATT&CK Matrix

Privilege Defense Credential Lateral Command

Initial Access Execution Persistence Discovery Collection Exfiltration Impact
Escalation Evasion Access Movement and Control

#T1047 #T1060 #T1547.001

#T1003 #T1083 File #T1005 Data
Windows Registry Run Registry Run #T1143 Hidden
Credential and Directory from Local
Management Keys / Startup Keys / Startup Window
Dumping Discovery System
Instrumentation Folder Folder
#T1047 #T1547.001 #T1555.003 #T1063
#T1119
Windows Registry Run #T1112 Modify Credentials Security
Automated
Management Keys / Startup Registry from Web Software
Collection
Instrumentation Folder Browsers Discovery
#T1082
#T1045 #T1005 Data
System
Software from Local
Information
Packing System
Discovery
#T1622 #T1083 File #T1119
Debugger and Directory Automated
Evasion Discovery Collection
#T1518.001
#T1564.003
Security
Hidden
Software
Window
Discovery
#T1082
#T1112 Modify System
Registry Information
Discovery
#T1027.002 #T1622
Software Debugger
Packing Evasion

X-Ray Vision for Malware - www.vmray.com 8 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Sample Information

ID #11579424

MD5 162d8c383d950b03cb90542ebc6bc59b

SHA1 e6336cffb13da369a318b72d99b48eb510f529b0

SHA256 10c874fb42cf4058d85898bb0490f0495980f17bd869caba738b25d2680e6d7e

SSDeep 786432:aGQzF+p61uokR68PPXV7J/c6aYrkJ/bO9TovQVRg8jrO:osw5kFt7J/cRDSTooVimO

ImpHash 65fb49c803a4d63a7a7286237a201445

File Name SecuriteInfo.com.Win64.MalwareX-gen.7213.10695.exe

File Size 31211.50 KB

Sample Type Windows Exe (x86-64)

Has Macros ✔

Analysis Information

Creation Time 2024-10-18 18:34 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 12

Execution Successful True

Reputation Enabled ✔

WHOIS Enabled ✖

Built-in AV Enabled ✖

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled ✔

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 6

X-Ray Vision for Malware - www.vmray.com 9 / 45

DYNAMIC ANALYSIS REPORT
#22574627

X-Ray Vision for Malware - www.vmray.com 10 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Screenshots truncated

X-Ray Vision for Malware - www.vmray.com 11 / 45

DYNAMIC ANALYSIS REPORT
#22574627

NETWORK
General

1.74 KB total sent

33.80 KB total received

2 ports 443, 53

2 contacted IP addresses

72 URLs extracted

1 files downloaded

10 malicious hosts detected

DNS

10 DNS requests for 10 domains

1 nameservers contacted

9 total requests returned errors

HTTP/S

1 URLs contacted, 1 servers

1 sessions, 1.11 KB sent, 32.64 KB received

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

GET hxxp://www[.]valvesoftware[.]com/legal.htm - - - 0 bytes CLEAN

GET hxxp://store[.]steampowered[.]com/subscriber_agreement/ - - - 0 bytes CLEAN

hxxp://store[.]steampowered[.]com/account/
GET - - - 0 bytes CLEAN
cookiepreferences/

GET hxxp://store[.]steampowered[.]com/privacy_agreement/ - - - 0 bytes CLEAN

POST hxxps://opponnentduei[.]shop/api - - - 0 bytes MALICIOUS

hxxps://www[.]valvesoftware[.]com/en/contact?contact-
GET - - - 0 bytes CLEAN
person=Translation%20Team%20Feedback

GET hxxps://help[.]steampowered[.]com/en/ - - - 0 bytes CLEAN

POST hxxps://quotamkdsdqo[.]shop/api - - - 0 bytes MALICIOUS

POST hxxps://milldymarskwom[.]shop/api - - - 0 bytes MALICIOUS

POST hxxps://carrtychaintnyw[.]shop/api - - - 0 bytes MALICIOUS

POST hxxps://achievenmtynwjq[.]shop/api - - - 0 bytes MALICIOUS

POST hxxps://metallygaricwo[.]shop/api - - - 0 bytes MALICIOUS

POST hxxps://puredoffustow[.]shop/api - - - 0 bytes MALICIOUS

GET hxxps://steamcommunity[.]com/?subsection=broadcasts - - - 0 bytes CLEAN

hxxps://steamcommunity[.]com/linkfilter/?
GET - - - 0 bytes CLEAN
u=http%3A%2F%2Fwww.geonames.org

GET hxxps://steamcommunity[.]com/discussions/ - - - 0 bytes CLEAN

hxxps://steamcommunity[.]com/login/home/?
GET - - - 0 bytes CLEAN
goto=profiles%2F76561199724331900

X-Ray Vision for Malware - www.vmray.com 12 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

GET hxxps://steamcommunity[.]com - - - 0 bytes CLEAN

GET hxxps://steamcommunity[.]com/workshop/ - - - 0 bytes CLEAN

GET hxxps://steamcommunity[.]com/my/wishlist/ - - - 0 bytes CLEAN

GET hxxps://steamcommunity[.]com/market/ - - - 0 bytes CLEAN

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET - - - 0 bytes CLEAN
shared/images/responsive/header_menu_hamburger.png

hxxps://community[.]cloudflare[.]steamstatic[.]com//public//
GET css//skin_1//economy.css? - - - 0 bytes CLEAN
v=Hib2Mv7hYJ4z&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/css/shared_global.css? - - - 0 bytes CLEAN
v=nBdvNPPzc0qI&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/css/buttons.css? - - - 0 bytes CLEAN
v=tuNiaSwXwcYT&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/css/motiva_sans.css? - - - 0 bytes CLEAN
v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET - - - 0 bytes CLEAN
shared/images/responsive/header_logo.png

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET javascript/applications/community/manifest.js?v=r7a4- - - - 0 bytes CLEAN
LYcQOjv&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET - - - 0 bytes CLEAN
images/skin_1/footerLogo_valve.png?v=1

hxxps://community[.]cloudflare[.]steamstatic[.]com//public//
GET javascript//json2.js? - - - 0 bytes CLEAN
v=pmScf4470EZP&l=english&_cdn=cloudflare\

hxxps://community[.]cloudflare[.]steamstatic[.]com//public//
GET javascript//economy_common.js? - - - 0 bytes CLEAN
v=tsXdRVB0yEaR&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/css/shared_responsive.css? - - - 0 bytes CLEAN
v=eghn9DNyCY67&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/javascript/auth_refresh.js? - - - 0 bytes CLEAN
v=WgUxSlKTb3W1&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com//public//
GET javascript//economy.js?v=7F-CkHa- - - - 0 bytes CLEAN
o5A1&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/javascript/tooltip.js? - - - 0 bytes CLEAN
v=.zYHOpI1L3Rt0&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET css/applications/community/main.css? - - - 0 bytes CLEAN
v=D_iTAfDsLHps&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET css/globalv2.css? - - - 0 bytes CLEAN
v=pwVcIAtHNXwg&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET css/skin_1/header.css? - - - 0 bytes CLEAN
v=vh4BMeDcNiCU&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
javascript/scriptaculous/_combined.js?
GET - - - 0 bytes CLEAN
v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects
,controls,slider,dragdrop

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET - - - 0 bytes CLEAN
shared/images/responsive/logo_valve_footer.png

GET hxxps://community[.]cloudflare[.]steamstatic[.]com//public// - - - 0 bytes CLEAN

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/javascript/shared_global.js? - - - 0 bytes CLEAN
v=wJD9maDpDcVL&l=english&_cdn=cloudflare

X-Ray Vision for Malware - www.vmray.com 13 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET javascript/jquery-1.11.1.min.js? - - - 0 bytes CLEAN
v=.isFTSRckeNhC&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET javascript/applications/community/libraries~b28b7af69.js? - - - 0 bytes CLEAN
v=KwNbKLgEHlA9&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET css/skin_1/fatalerror.css? - - - 0 bytes CLEAN
v=wctRWaBvNt2z&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET shared/javascript/shared_responsive_adapter.js? - - - 0 bytes CLEAN
v=pSvIAKtunfWg&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET javascript/prototype-1.7.js?v=. - - - 0 bytes CLEAN
55t44gwuwgvw&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET javascript/applications/community/main.js? - - - 0 bytes CLEAN
v=4XouecKy8sZy&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET javascript/global.js? - - - 0 bytes CLEAN
v=bOP7RorZq4_W&l=english&_cdn=cloudflare

hxxps://community[.]cloudflare[.]steamstatic[.]com/public/
GET - - - 0 bytes CLEAN
shared/images/header/logo_steam.svg?t=962016

GET hxxps://store[.]steampowered[.]com/stats/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/steam_refunds/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/explore/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/about/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/points/shop/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/subscriber_agreement/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/news/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/mobile - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/privacy_agreement/ - - - 0 bytes CLEAN

GET hxxps://store[.]steampowered[.]com/legal/ - - - 0 bytes CLEAN

POST hxxps://worthsuwqp[.]shop/api - - - 0 bytes MALICIOUS

POST hxxps://chickerkuso[.]shop/api - - - 0 bytes MALICIOUS

hxxps://steamcommunity[.]com/profiles/
GET - - - 0 bytes MALICIOUS
76561199724331900

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

A chickerkuso[.]shop NX_DOMAIN - - MALICIOUS

A puredoffustow[.]shop NX_DOMAIN - - MALICIOUS

A metallygaricwo[.]shop NX_DOMAIN - - MALICIOUS

A quotamkdsdqo[.]shop NX_DOMAIN - - MALICIOUS

A milldymarskwom[.]shop NX_DOMAIN - - MALICIOUS

A achievenmtynwjq[.]shop NX_DOMAIN - - MALICIOUS

A carrtychaintnyw[.]shop NX_DOMAIN - - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 14 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Type Hostname Response Code Resolved IPs CNames Verdict

A opponnentduei[.]shop NX_DOMAIN - - MALICIOUS

A steamcommunity[.]com NO_ERROR 23.197.127.21 - CLEAN

A worthsuwqp[.]shop NX_DOMAIN - - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 15 / 45

DYNAMIC ANALYSIS REPORT
#22574627

BEHAVIOR
Process Graph

#3
RPC Server wmiprvse.exe

#2
svchost.exe RPC Server

#10
RPC Server wmiprvse.exe

#6
steamupdater.exe

Child Process

#7
powershell.exe
Child Process

#1 Child Process #11 Child Process #13

Sample Start
securiteinfo.com.win64.malwarex-gen.7213.10695.exe cmd.exe wusa.exe

Child Process

Child Process #14

cmd.exe

Child Process
#16 Child Process #18
cmd.exe reg.exe

#19
sppextcomobj.exe

X-Ray Vision for Malware - www.vmray.com 16 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #1: securiteinfo.com.win64.malwarex-gen.7213.10695.exe

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\securiteinfo.com.win64.malwarex-gen.7213.10695.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.7213.10695.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 68159, Reason: Analysis Target

Unmonitor End Time End Time: 313166, Reason: Terminated by timeout

Monitor duration 245.01s

Return Code Unknown

PID 1916

Parent PID -

Bitness 64 Bit

Dropped Files (4)

File Name File Size SHA256 YARA Match

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852
C:\ProgramData\Fonts_Temp\Music_1\SgrmBroker.exe 0 bytes ✖
b855

C:
2da3bf745b7692957b34a88191dd53d5e5da2bb2524520c423d51a530cd
\Users\RDHJ0C~1\AppData\Local\Temp\temp_NrjxjLtkwcDyZIpqfk 16 bytes ✖
cc143
McaboJM

f2af9576b7878464c0c955db670e1ba7b3cdd344f30fe72030016f4622f1a
C:\Users\RDHJ0C~1\AppData\Local\Temp\SteamUpdater.exe 1388.50 KB ✖
485

2bc0d668f794cfd2de2109fa80de09ba63b5157bf44923e501af1522db3de
C:\ProgramData\Documents_2\Videos_3\SppExtComObj.exe 10240.00 KB ✖
821

Host Behavior

Type Count

Module 292

File 549

System 32

Environment 4

Process 1341

- 1234

COM 6

- 14

- 3

Registry 57

X-Ray Vision for Malware - www.vmray.com 17 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #2: svchost.exe

ID 2

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k netsvcs

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 92219, Reason: RPC Server

Unmonitor End Time End Time: 313166, Reason: Terminated by timeout

Monitor duration 220.95s

Return Code Unknown

PID 1000

Parent PID 1916

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 18 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #3: wmiprvse.exe

ID 3

File Name c:\windows\system32\wbem\wmiprvse.exe

Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 92219, Reason: RPC Server

Unmonitor End Time End Time: 313166, Reason: Terminated by timeout

Monitor duration 220.95s

Return Code Unknown

PID 4480

Parent PID 1000

Bitness 64 Bit

Host Behavior

Type Count

System 225

Registry 4

User 2

Process 731

- 1232

Module 16

X-Ray Vision for Malware - www.vmray.com 19 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #6: steamupdater.exe

ID 6

File Name c:\users\rdhj0cnfevzx\appdata\local\temp\steamupdater.exe

Command Line "C:\Users\RDHJ0C~1\AppData\Local\Temp\SteamUpdater.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 130182, Reason: Child Process

Unmonitor End Time End Time: 147341, Reason: Terminated

Monitor duration 17.16s

Return Code 0

PID 2948

Parent PID 1916

Bitness 32 Bit

Host Behavior

Type Count

Module 49

File 6

- 4

Environment 1

Network Behavior

Type Count

HTTPS 10

TCP 9

X-Ray Vision for Malware - www.vmray.com 20 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #7: powershell.exe

ID 7

File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe

Command Line "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 136211, Reason: Child Process

Unmonitor End Time End Time: 206166, Reason: Terminated

Monitor duration 69.95s

Return Code 1

PID 4584

Parent PID 1916

Bitness 64 Bit

Host Behavior

Type Count

Module 14

File 1288

Environment 116

Registry 87

- 44

System 57

Mutex 60

COM 2

X-Ray Vision for Malware - www.vmray.com 21 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #10: wmiprvse.exe

ID 10

File Name c:\windows\system32\wbem\wmiprvse.exe

Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 201553, Reason: RPC Server

Unmonitor End Time End Time: 313166, Reason: Terminated by timeout

Monitor duration 111.61s

Return Code Unknown

PID 4860

Parent PID 1000

Bitness 64 Bit

Host Behavior

Type Count

System 3

Mutex 1

Module 22

Registry 4

File 1

X-Ray Vision for Malware - www.vmray.com 22 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #11: cmd.exe

ID 11

File Name c:\windows\system32\cmd.exe

Command Line "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 205490, Reason: Child Process

Unmonitor End Time End Time: 207151, Reason: Terminated

Monitor duration 1.66s

Return Code 87

PID 3208

Parent PID 1916

Bitness 64 Bit

Host Behavior

Type Count

Module 1

Environment 8

File 8

Process 1

X-Ray Vision for Malware - www.vmray.com 23 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #13: wusa.exe

ID 13

File Name c:\windows\system32\wusa.exe

Command Line wusa /uninstall /kb:890830 /quiet /norestart

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 205877, Reason: Child Process

Unmonitor End Time End Time: 206675, Reason: Terminated

Monitor duration 0.80s

Return Code 87

PID 3236

Parent PID 3208

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 24 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #14: cmd.exe

ID 14

File Name c:\windows\system32\cmd.exe

Command Line "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 206168, Reason: Child Process

Unmonitor End Time End Time: 207656, Reason: Terminated

Monitor duration 1.49s

Return Code 0

PID 3312

Parent PID 1916

Bitness 64 Bit

Host Behavior

Type Count

Module 1

Environment 1

File 12

X-Ray Vision for Malware - www.vmray.com 25 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #16: cmd.exe

ID 16

File Name c:\windows\system32\cmd.exe

Command Line "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 206676, Reason: Child Process

Unmonitor End Time End Time: 208437, Reason: Terminated

Monitor duration 1.76s

Return Code 0

PID 3340

Parent PID 1916

Bitness 64 Bit

Host Behavior

Type Count

Module 1

Environment 8

File 8

Process 1

X-Ray Vision for Malware - www.vmray.com 26 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #18: reg.exe

ID 18

File Name c:\windows\system32\reg.exe

Command Line reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 207211, Reason: Child Process

Unmonitor End Time End Time: 208391, Reason: Terminated

Monitor duration 1.18s

Return Code 0

PID 3368

Parent PID 3340

Bitness 64 Bit

Host Behavior

Type Count

Module 1

Registry 4

File 6

X-Ray Vision for Malware - www.vmray.com 27 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process #19: sppextcomobj.exe

ID 19

File Name c:\programdata\documents_2\videos_3\sppextcomobj.exe

Command Line "C:\ProgramData\Documents_2\Videos_3\SppExtComObj.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 252575, Reason: Child Process

Unmonitor End Time End Time: 313166, Reason: Terminated by timeout

Monitor duration 60.59s

Return Code Unknown

PID 3428

Parent PID 1916

Bitness 64 Bit

Host Behavior

Type Count

Module 276

System 19

COM 6

- 14

Environment 3

Process 1238

- 1179

- 4

X-Ray Vision for Malware - www.vmray.com 28 / 45

DYNAMIC ANALYSIS REPORT
#22574627

ARTIFACTS
File

SHA256 File Names Category File Size MIME Type Operations Verdict

C:
10c874fb42cf4058d85898bb application/
\Users\RDhJ0CNFevzX\Desktop\Sec
0490f0495980f17bd869caba Sample File 31211.50 KB vnd.microsoft.portable- Access MALICIOUS
uriteInfo.com.Win64.MalwareX-gen.
738b25d2680e6d7e executable
7213.10695.exe

f2af9576b7878464c0c955db C: application/
670e1ba7b3cdd344f30fe720 \Users\RDHJ0C~1\AppData\Local\Te Dropped File 1388.50 KB vnd.microsoft.portable- Access, Create, Write MALICIOUS
30016f4622f1a485 mp\SteamUpdater.exe executable

85677f31c12cf0ffab1accf5f7 application/
5c6332698494eb89c648d65 - Memory Dump 376.00 KB vnd.microsoft.portable- - MALICIOUS
479998177847209 executable

fa3c159d792acf44ae54e66a application/
d5dc8049672becfb8e43fdadf - Memory Dump 376.00 KB vnd.microsoft.portable- - MALICIOUS
43ce52d2744e7d6 executable

7f0abda0746b05ce49354286 application/
a5709cb4aecef6f961112ca5f - Memory Dump 376.00 KB vnd.microsoft.portable- - MALICIOUS
fd832a950769f46 executable

1c56babd7f3df9557237a9b6 application/
0ac4b928c03231caa210fbd4 - Memory Dump 376.00 KB vnd.microsoft.portable- - MALICIOUS
9a843d3989b4310f executable

ec113f57a1c9bd7583147770 application/
abb5747b6482f96a58c74ed1 - Memory Dump 376.00 KB vnd.microsoft.portable- - MALICIOUS
68348352784ad965 executable

763fe1a74412bf2f3891b2bdf application/
070ab9f532bf28278fa8e32f0 - Memory Dump 373.00 KB vnd.microsoft.portable- - MALICIOUS
670d3d58fc9beb executable

2bc0d668f794cfd2de2109fa8 C: application/
0de09ba63b5157bf44923e50 \ProgramData\Documents_2\Videos_ Dropped File 10240.00 KB vnd.microsoft.portable- Access, Create, Write SUSPICIOUS
1af1522db3de821 3\SppExtComObj.exe executable

37a54b555c5851d0af64cad8
6d6798f5a590f3f5acffe4e41d - Downloaded File 25.55 KB text/html - CLEAN
92e6cb7184f981

C:
2da3bf745b7692957b34a881
\Users\RDHJ0C~1\AppData\Local\Te
91dd53d5e5da2bb2524520c Dropped File 16 bytes text/plain Access, Create, Write CLEAN
mp\temp_NrjxjLtkwcDyZIpqfkMcaboJ
423d51a530cdcc143
M

C:
44742d932d7338f9146df028 \Users\RDhJ0CNFevzX\AppData\Loc
68c8a69d4f827436d2da2675 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
17b951dd0c17977b mmandAnalysis\PowerShell_Analysis
CacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Loc
bfd60204585f1603ee9faac7c
al\Microsoft\Windows\PowerShell\Co
44adb9fcd6fa56b7748f03ecb Modified File 1.16 KB application/octet-stream Access, Write CLEAN
mmandAnalysis\PowerShell_Analysis
1a9beaa7c56ea1
CacheEntry_6fe77092-4798-42ae-
bda5-e7f822b580e9

C:
6b267f5681bcd6ea35dc1765 \Users\RDhJ0CNFevzX\AppData\Loc
808ea53540ff701e223fd4726 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
21c1c8cd9265318 mmandAnalysis\PowerShell_Analysis
CacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Loc
72831bc6962c8017ea71abc
al\Microsoft\Windows\PowerShell\Co
038a8f60e79976ebaf05d363 Modified File 10.76 KB application/octet-stream Access, Read, Write CLEAN
mmandAnalysis\PowerShell_Analysis
c80f32c975a55d0d9
CacheEntry_da21122d-ae44-4f93-
ba1d-c9a978ca5b20

C:
22e0e4a48c52bf2bbb8ead29 \Users\RDhJ0CNFevzX\AppData\Loc
e4cd23bfdb0a57dd8cf0d1a3 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
9fdbd6afa0a05b48 mmandAnalysis\PowerShell_Analysis
CacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Loc
12bd362291f72f2c2e775674
al\Microsoft\Windows\PowerShell\Co
2b7377549d13d5bf231455d2 Modified File 1.77 KB application/octet-stream Access, Read, Write CLEAN
mmandAnalysis\PowerShell_Analysis
3ef250c5bdf18121
CacheEntry_cc38888a-7080-4220-9b7
d-de7a9b2167ba

X-Ray Vision for Malware - www.vmray.com 29 / 45

DYNAMIC ANALYSIS REPORT
#22574627

SHA256 File Names Category File Size MIME Type Operations Verdict

C:
7f3fba01490fc77e7fc3fdaeb6 \Users\RDhJ0CNFevzX\AppData\Loc
f1a65be4ee06a68d72badbd4 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
0e225a328b7c92 mmandAnalysis\PowerShell_Analysis
CacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Loc
b0ada1a5b9cd3c6c3c9fa895
al\Microsoft\Windows\PowerShell\Co
bf63665129ea3ac1be1391a2 Modified File 1.60 KB application/octet-stream Access, Write CLEAN
mmandAnalysis\PowerShell_Analysis
064296fdf950fe3a
CacheEntry_6de40067-
cd2a-4666-8cd9-870e0a588215

C:
70d5a5033e624a3fdc47588e \Users\RDhJ0CNFevzX\AppData\Loc
253fa6f933b049d9edf430ec8 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
c2b25af96c360be mmandAnalysis\PowerShell_Analysis
CacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Loc
9214d80f84cede2f6a2b72f61
al\Microsoft\Windows\PowerShell\Co
7e0c6a54c75f589b00ff17d28 Modified File 602 bytes application/octet-stream Access, Read, Write CLEAN
mmandAnalysis\PowerShell_Analysis
58041e541f30b0
CacheEntry_01c28806-e5ae-41cc-
b284-e627e1b02beb

C:
5116fdea0963fe70138ced56 \Users\RDhJ0CNFevzX\AppData\Loc
819a18fc6deafcd717f59e749 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
a8f1bce5911ab43 mmandAnalysis\PowerShell_Analysis
CacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Loc
bff972df82ef871cff56b4093f6
al\Microsoft\Windows\PowerShell\Co
953a526992555c2913ecd6fe Modified File 8.73 KB application/octet-stream Access, Read, Write CLEAN
mmandAnalysis\PowerShell_Analysis
de0d642b7cc0a
CacheEntry_67a2505d-bf00-4e2f-
b010-406d32caddc3

C:
4460bc99a8abeb1f58a85ee2 \Users\RDhJ0CNFevzX\AppData\Loc
a7da1092b3f3cdf23dcefc8e1 al\Microsoft\Windows\PowerShell\Co Modified File 19.23 KB application/octet-stream Access, Read, Write CLEAN
05d9b328e4a84d3 mmandAnalysis\PowerShell_Analysis
CacheIndex

Filename

File Name Category Operations Verdict

C:
\Users\RDhJ0CNFevzX\Desktop\SecuriteInfo.com.Win64.MalwareX- Accessed File, Sample File Access MALICIOUS
gen.7213.10695.exe

C:
\Users\RDHJ0C~1\AppData\Local\Temp\temp_NrjxjLtkwcDyZIpqfk Accessed File, Dropped File Access, Create, Write CLEAN
McaboJM

C:\Users\RDHJ0C~1\AppData\Local\Temp\SteamUpdater.exe Accessed File, Dropped File Access, Create, Write CLEAN

C:
\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerS Accessed File, Modified File Access, Read, Write CLEAN
hell\CommandAnalysis\PowerShell_AnalysisCacheIndex

C:
\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerS
Accessed File, Modified File Access, Write CLEAN
hell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe77092-4
798-42ae-bda5-e7f822b580e9

C:
\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerS
Accessed File, Modified File Access, Read, Write CLEAN
hell\CommandAnalysis\PowerShell_AnalysisCacheEntry_da21122d-
ae44-4f93-ba1d-c9a978ca5b20

C:
\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\PowerS
Accessed File, Modified File Access, Write CLEAN
hell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6de40067-
cd2a-4666-8cd9-870e0a588215

X-Ray Vision for Malware - www.vmray.com 30 / 45

DYNAMIC ANALYSIS REPORT
#22574627

File Name Category Operations Verdict

C:\ProgramData\Documents_2\Videos_3\SppExtComObj.exe Accessed File, Dropped File Access, Create, Write CLEAN

C:\ProgramData\Fonts_Temp\Music_1\SgrmBroker.exe Accessed File, Dropped File, Modified File Access, Create, Write CLEAN

C:\Windows\System32\smss.exe Accessed File Access CLEAN

C:\Windows\System32\wininit.exe Accessed File Access CLEAN

C:\Windows\System32\winlogon.exe Accessed File Access CLEAN

C:\Program Files\Microsoft Office\some-management-baby.exe Accessed File Access CLEAN

C:\Windows\System32\services.exe Accessed File Access CLEAN

C:\Windows\System32\lsass.exe Accessed File Access CLEAN

C:\Windows\System32\svchost.exe Accessed File Access CLEAN

C:\Windows\System32\spoolsv.exe Accessed File Access CLEAN

C:\Program Files\Microsoft Analysis Services\throughout.exe Accessed File Access CLEAN

C:\Program Files\Windows Journal\3dftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Mozilla Firefox\absolutetelnet.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Multimedia Platform\anything nature

Accessed File Access CLEAN
die.exe

C:\Program Files (x86)\Mozilla Firefox\education_stand.exe Accessed File Access CLEAN

C:\Program Files\Uninstall Information\alftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common Files\barca.exe Accessed File Access CLEAN

C:\Program Files\Microsoft.NET\meet-our-investment.exe Accessed File Access CLEAN

C:\Windows\System32\sihost.exe Accessed File Access CLEAN

C:\Windows\System32\RuntimeBroker.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\bitkinex.exe Accessed File Access CLEAN

C:\Program Files (x86)\Internet Explorer\coreftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\MSBuild\far.exe Accessed File Access CLEAN

C:\Program Files (x86)\Mozilla Firefox\common over.exe Accessed File Access CLEAN

C:\Windows\explorer.exe Accessed File Access CLEAN

C:\Program Files\Windows Defender\sectionlandpast.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft SQL Server\ok top.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\filezilla.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\flashfxp.exe Accessed File Access CLEAN

C:\Windows\System32\taskhostw.exe Accessed File Access CLEAN

C:\Program Files\Windows Mail\show never character.exe Accessed File Access CLEAN

C:\Program Files\MSBuild\agency.exe Accessed File Access CLEAN

C:\Program Files\Windows Defender\fling.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\foxmailincmail.exe Accessed File Access CLEAN

X-Ray Vision for Malware - www.vmray.com 31 / 45

DYNAMIC ANALYSIS REPORT
#22574627

File Name Category Operations Verdict

C:\Program Files (x86)\Microsoft.NET\drive_particularly_next.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common Files\forceson.exe Accessed File Access CLEAN

C:\Program Files\Windows Defender\interesting.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common Files\gmailnotifierpro.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\let sense right.exe Accessed File Access CLEAN

C:\Program Files\Windows Mail\whatsapp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows NT\icq.exe Accessed File Access CLEAN

C:\Program Files\Microsoft Office\leechftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Photo Viewer\mxslipstream.exe Accessed File Access CLEAN

C:\Program Files\Windows Photo Viewer\omnipos.exe Accessed File Access CLEAN

C:\Program Files\Common Files\spcwin.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Multimedia Platform\winscp.exe Accessed File Access CLEAN

C:\Program Files\Java\yahoomessenger.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Platform\ncftp.exe Accessed File Access CLEAN

C:\Program Files\Microsoft Office\operamail.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft SQL Server\spgagentservice.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\utg2.exe Accessed File Access CLEAN

C:\Program Files (x86)\Internet Explorer\active-charge.exe Accessed File Access CLEAN

C:\Program Files\Windows NT\accupos.exe Accessed File Access CLEAN

C:\Program Files\Microsoft SQL Server\outlook.exe Accessed File Access CLEAN

C:\Program Files (x86)\Mozilla Firefox\notepad.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Defender\pidgin.exe Accessed File Access CLEAN

C:\Program Files\Windows Defender\game-professional.exe Accessed File Access CLEAN

C:\Windows\System32\UsoClient.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Photo Viewer\afr38.exe Accessed File Access CLEAN

C:\Program Files\Windows Photo Viewer\aldelo.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Portable Devices\scriptftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft.NET\skype.exe Accessed File Access CLEAN

C:\Windows\System32\msfeedssync.exe Accessed File Access CLEAN

C:\Windows\System32\conhost.exe Accessed File Access CLEAN

C:\Windows\System32\audiodg.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows NT\ccv_server.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft.NET\centralcreditcard.exe Accessed File Access CLEAN

C:\Program Files\MSBuild\smartftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\MSBuild\thunderbird.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Platform\creditservice.exe Accessed File Access CLEAN

X-Ray Vision for Malware - www.vmray.com 32 / 45

DYNAMIC ANALYSIS REPORT
#22574627

File Name Category Operations Verdict

C:\Program Files (x86)\MSBuild\edcsvr.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\trillian.exe Accessed File Access CLEAN

C:\Program Files\Java\webdrive.exe Accessed File Access CLEAN

C:\Windows\System32\rundll32.exe Accessed File Access CLEAN

C:\Windows\System32\sppsvc.exe Accessed File Access CLEAN

C:\Windows\System32\wbem\WMIADAP.exe Accessed File Access CLEAN

C:\Program Files\Internet Explorer\fpos.exe Accessed File Access CLEAN

C:\Windows\System32\backgroundTaskHost.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\isspos.exe Accessed File Access CLEAN

C:
\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy Accessed File Access CLEAN
\SearchUI.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe Accessed File Access CLEAN

C:\Program Files\Windows Photo Viewer\by_national.exe Accessed File Access CLEAN

C:\Program Files\Internet Explorer\iexplore.exe Accessed File Access CLEAN

C:
\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellE Accessed File Access CLEAN
xperienceHost.exe

C://ProgramData//sunshine.txt Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\Desktop\powershell.exe Accessed File Access CLEAN

C:\Windows\system32\powershell.exe Accessed File Access CLEAN

C:\Windows\powershell.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common

Accessed File Access CLEAN
Files\Oracle\Java\javapath\powershell.exe

C:\Windows\System32\Wbem\powershell.exe Accessed File Access CLEAN

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN

\??\C:\Users\RDHJ0C~1\AppData\Local\Temp\SteamUpdater.exe Accessed File Access, Read CLEAN

C:\Program Files (x86)\Common Files\Oracle\Java\javapath Accessed File Access CLEAN

C:\Windows\system32 Accessed File Access CLEAN

C:\Windows Accessed File Access CLEAN

C:\Windows\System32\Wbem Accessed File Access CLEAN

C:\Windows\System32\WindowsPowerShell\v1.0\ Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\Documents\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Windows\system32\WindowsPowerShell\v1.0\Modules Accessed File Access CLEAN

c:
\windows\system32\windowspowershell\v1.0\Modules\AppBackgroun Accessed File Access CLEAN
dTask

C:
\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgro Accessed File Access CLEAN
undTask\AppBackgroundTask.psd1

c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker Accessed File Access CLEAN

X-Ray Vision for Malware - www.vmray.com 33 / 45

DYNAMIC ANALYSIS REPORT
#22574627

File Name Category Operations Verdict

c:
\windows\system32\windowspowershell\v1.0\Modules\AppLocker\Ap Accessed File Access CLEAN
pLocker.psd1

c:\windows\system32\windowspowershell\v1.0\Modules\Appx Accessed File Access CLEAN

c:
\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.ps Accessed File Access CLEAN
d1

c:
\windows\system32\windowspowershell\v1.0\Modules\AssignedAcce Accessed File Access CLEAN
ss

c:
\windows\system32\windowspowershell\v1.0\Modules\AssignedAcce Accessed File Access CLEAN
ss\AssignedAccess.psd1

C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Pa Accessed File Access, Read CLEAN
ckageManagement.psd1

C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM Accessed File Access CLEAN
anagement.psd1

C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM Accessed File Access CLEAN
anagement.psm1

C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM Accessed File Access CLEAN
anagement.cdxml

C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM Accessed File Access CLEAN
anagement.xaml

C:\Program
Files\WindowsPowerShell\Modules\PackageManagement\PackageM Accessed File Access CLEAN
anagement.dll

C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5 Accessed File Access CLEAN

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml

C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Pester Accessed File Access CLEAN

C:\Program
Accessed File Access, Read CLEAN
Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1

C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll Accessed File Access CLEAN

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.ps Accessed File Access CLEAN
d1

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.ps Accessed File Access CLEAN
m1

X-Ray Vision for Malware - www.vmray.com 34 / 45

DYNAMIC ANALYSIS REPORT
#22574627

File Name Category Operations Verdict

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cd Accessed File Access CLEAN
xml

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xa Accessed File Access CLEAN
ml

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll

C:\Program Files\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerSh Accessed File Access, Read CLEAN
ellGet.psd1

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p Accessed File Access CLEAN
sd1

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p Accessed File Access CLEAN
sm1

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.c Accessed File Access CLEAN
dxml

C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.x Accessed File Access CLEAN
aml

C:\Program
Accessed File Access CLEAN
Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll

Reduced dataset

URL

URL Category IP Address Country HTTP Methods Verdict

hxxps://steamcommunity[.]com/profiles/ Attempted To Contact,

23.197.127.21 Germany GET MALICIOUS
76561199724331900 Extracted, Contacted

Attempted To Contact,
hxxps://worthsuwqp[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://chickerkuso[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://achievenmtynwjq[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://puredoffustow[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://opponnentduei[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://metallygaricwo[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://milldymarskwom[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://quotamkdsdqo[.]shop/api - - - MALICIOUS
Extracted

Attempted To Contact,
hxxps://carrtychaintnyw[.]shop/api - - - MALICIOUS
Extracted

hxxp://quotamkdsdqo[.]shop Extracted - - - MALICIOUS

hxxp://milldymarskwom[.]shop Extracted - - - MALICIOUS

hxxp://metallygaricwo[.]shop Extracted - - - MALICIOUS

hxxp://chickerkuso[.]shop Extracted - - - MALICIOUS

hxxp://puredoffustow[.]shop Extracted - - - MALICIOUS

hxxp://achievenmtynwjq[.]shop Extracted - - - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 35 / 45

DYNAMIC ANALYSIS REPORT
#22574627

URL Category IP Address Country HTTP Methods Verdict

hxxp://opponnentduei[.]shop Extracted - - - MALICIOUS

hxxp://carrtychaintnyw[.]shop Extracted - - - MALICIOUS

hxxp://worthsuwqp[.]shop Extracted - - - MALICIOUS

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/css/motiva_sans.css?
v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/css/buttons.css?
v=tuNiaSwXwcYT&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/css/shared_global.css?
v=nBdvNPPzc0qI&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/css/globalv2.css?
v=pwVcIAtHNXwg&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/css/skin_1/fatalerror.css?
v=wctRWaBvNt2z&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/css/shared_responsive.css?
v=eghn9DNyCY67&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/css/skin_1/header.css?
v=vh4BMeDcNiCU&l=english&_cdn=cloudflare

hxxps://steamcommunity[.]com/login/home/?
Extracted 23.197.127.21 Germany - CLEAN
goto=profiles%2F76561199724331900

hxxps://store[.]steampowered[.]com Extracted - - - CLEAN

hxxps://store[.]steampowered[.]com/explore/ Extracted - - - CLEAN

hxxps://steamcommunity[.]com/my/wishlist/ Extracted 23.197.127.21 Germany - CLEAN

hxxps://store[.]steampowered[.]com/points/shop/ Extracted - - - CLEAN

hxxps://store[.]steampowered[.]com/news/ Extracted - - - CLEAN

hxxps://store[.]steampowered[.]com/stats/ Extracted - - - CLEAN

hxxps://steamcommunity[.]com Extracted 23.197.127.21 Germany - CLEAN

hxxps://steamcommunity[.]com/discussions/ Extracted 23.197.127.21 Germany - CLEAN

hxxps://steamcommunity[.]com/workshop/ Extracted 23.197.127.21 Germany - CLEAN

hxxps://steamcommunity[.]com/market/ Extracted 23.197.127.21 Germany - CLEAN

hxxps://steamcommunity[.]com/?
Extracted 23.197.127.21 Germany - CLEAN
subsection=broadcasts

hxxps://store[.]steampowered[.]com/about/ Extracted - - - CLEAN

hxxps://help[.]steampowered[.]com/en/ Extracted - - - CLEAN

hxxps://store[.]steampowered[.]com/mobile Extracted - - - CLEAN

hxxps://store[.]steampowered[.]com/
Extracted - - - CLEAN
privacy_agreement/

hxxp://www[.]valvesoftware[.]com/legal.htm Extracted - - - CLEAN

hxxps://store[.]steampowered[.]com/
Extracted - - - CLEAN
subscriber_agreement/

X-Ray Vision for Malware - www.vmray.com 36 / 45

DYNAMIC ANALYSIS REPORT
#22574627

URL Category IP Address Country HTTP Methods Verdict

hxxps://store[.]steampowered[.]com/
Extracted - - - CLEAN
steam_refunds/

hxxps://www[.]valvesoftware[.]com/en/contact?
contact- Extracted - - - CLEAN
person=Translation%20Team%20Feedback

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/css/applications/community/main.css?
v=D_iTAfDsLHps&l=english&_cdn=cloudflare

hxxps://steamcommunity[.]com/linkfilter/?
Extracted 23.197.127.21 Germany - CLEAN
u=http%3A%2F%2Fwww.geonames.org

hxxp://store[.]steampowered[.]com/
Extracted - - - CLEAN
privacy_agreement/

hxxps://store[.]steampowered[.]com/legal/ Extracted - - - CLEAN

hxxp://store[.]steampowered[.]com/
Extracted - - - CLEAN
subscriber_agreement/

hxxp://store[.]steampowered[.]com/account/
Extracted - - - CLEAN
cookiepreferences/

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/javascript/prototype-1.7.js?v=.
55t44gwuwgvw&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
c/javascript/scriptaculous/_combined.js? Extracted - - - CLEAN
v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&lo
ad=effects,controls,slider,dragdrop

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/javascript/global.js?
v=bOP7RorZq4_W&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/javascript/jquery-1.11.1.min.js?
v=.isFTSRckeNhC&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/javascript/tooltip.js?
v=.zYHOpI1L3Rt0&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/javascript/shared_global.js?
v=wJD9maDpDcVL&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/javascript/auth_refresh.js?
v=WgUxSlKTb3W1&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
c/shared/javascript/ Extracted - - - CLEAN
shared_responsive_adapter.js?
v=pSvIAKtunfWg&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/images/responsive/
logo_valve_footer.png

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/images/responsive/
header_menu_hamburger.png

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi Extracted - - - CLEAN
c/shared/images/responsive/header_logo.png

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/shared/images/header/logo_steam.svg?
t=962016

X-Ray Vision for Malware - www.vmray.com 37 / 45

DYNAMIC ANALYSIS REPORT
#22574627

URL Category IP Address Country HTTP Methods Verdict

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/javascript/applications/community/manifest.js?
v=r7a4-LYcQOjv&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
c/javascript/applications/community/ Extracted - - - CLEAN
libraries~b28b7af69.js?
v=KwNbKLgEHlA9&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi
Extracted - - - CLEAN
c/javascript/applications/community/main.js?
v=4XouecKy8sZy&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com/publi Extracted - - - CLEAN
c/images/skin_1/footerLogo_valve.png?v=1

hxxps://
community[.]cloudflare[.]steamstatic[.]com// Extracted - - - CLEAN
public//

hxxps://
community[.]cloudflare[.]steamstatic[.]com//
public//javascript//json2.js? Extracted - - - CLEAN
v=pmScf4470EZP&l=english&_cdn=cl
oudflare\

hxxps://
community[.]cloudflare[.]steamstatic[.]com//
Extracted - - - CLEAN
public//css//skin_1//economy.css?
v=Hib2Mv7hYJ4z&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com//
Extracted - - - CLEAN
public//javascript//economy_common.js?
v=tsXdRVB0yEaR&l=english&_cdn=cloudflare

hxxps://
community[.]cloudflare[.]steamstatic[.]com//
Extracted - - - CLEAN
public//javascript//economy.js?v=7F-CkHa-
o5A1&l=english&_cdn=cloudflare

Domain

Domain IP Address Country Protocols Verdict

worthsuwqp[.]shop - - - MALICIOUS

chickerkuso[.]shop - - - MALICIOUS

achievenmtynwjq[.]shop - - - MALICIOUS

puredoffustow[.]shop - - - MALICIOUS

opponnentduei[.]shop - - - MALICIOUS

metallygaricwo[.]shop - - - MALICIOUS

milldymarskwom[.]shop - - - MALICIOUS

quotamkdsdqo[.]shop - - - MALICIOUS

carrtychaintnyw[.]shop - - - MALICIOUS

steamcommunity[.]com 23.197.127.21 Germany TCP, DNS, HTTPS CLEAN

community[.]cloudflare[.]steamstatic[.]com - - - CLEAN

store[.]steampowered[.]com - - - CLEAN

help[.]steampowered[.]com - - - CLEAN

www[.]valvesoftware[.]com - - - CLEAN

X-Ray Vision for Malware - www.vmray.com 38 / 45

DYNAMIC ANALYSIS REPORT
#22574627

IP Address Domains Country Protocols Verdict

23.197.127.21 steamcommunity[.]com Germany TCP, DNS, HTTPS CLEAN

Mutex

Name Operations Parent Process Name Verdict

Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3
delete, access powershell.exe CLEAN
990802383-1811730007-1000

- access wmiprvse.exe CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\SUNSHINE create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\SUNSHINE\MUTEX write, read, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\tcpview.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\tcpview.exe\MinimumStackCommitInBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\tcpview64.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\autoruns.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\autorunsc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\x32dbg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\x64dbg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\Wireshark.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\PowerTool.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\PowerTool64.exe

X-Ray Vision for Malware - www.vmray.com 39 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\SystemSettingsAdminFlows.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution
write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\SystemSettingsAdminFlows.exe\MinimumStackCommitInB
ytes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\MediaCreationTool22H2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\rstrui.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\vssadmin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\dism.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\dism.exe\MinimumStackCommitInBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\xcopy.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\xcopy.exe\MinimumStackCommitInBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\mstsc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\mstsc.exe\MinimumStackCommitInBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\ReAgentc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\systemreset.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\bcdedit.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\recoverydrive.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\MRT.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\MRT.exe\MinimumStackCommitInBytes

X-Ray Vision for Malware - www.vmray.com 40 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\wuapihost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\wuauclt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\GlassWire.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\GlassWireSetup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
create, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
NT\CurrentVersion\Image File Execution Options\mmc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution write, access securiteinfo.com.win64.malwarex-gen.7213.10695.exe CLEAN
Options\mmc.exe\MinimumStackCommitInBytes

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Po
access powershell.exe CLEAN
werShell\ScriptBlockLogging

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Po
access powershell.exe CLEAN
werShell\ScriptBlockLogging

HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerS
access powershell.exe CLEAN
hellEngine

HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerS
read, access powershell.exe CLEAN
hellEngine\ApplicationBase

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Sessi
access powershell.exe CLEAN
on Manager\Environment

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Sessi
read, access powershell.exe CLEAN
on Manager\Environment\__PSLockdownPolicy

HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\
access powershell.exe CLEAN
XML

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\
access powershell.exe CLEAN
XML

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Ev
access powershell.exe CLEAN
entLog\ProtectedEventLogging

HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM create, access wmiprvse.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\Enab
read, access wmiprvse.exe CLEAN
leObjectValidation

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
access reg.exe CLEAN
sion\Policies\System

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT create, access reg.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\Do
write, read, access reg.exe CLEAN
ntOfferThroughWUAU

Process

Process Name Commandline Verdict

securiteinfo.com.win64.malwarex-gen.7213.10695.exe "C:\Users\RDhJ0CNFevzX\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.7213.10695.exe" MALICIOUS

steamupdater.exe "C:\Users\RDHJ0C~1\AppData\Local\Temp\SteamUpdater.exe" MALICIOUS

X-Ray Vision for Malware - www.vmray.com 41 / 45

DYNAMIC ANALYSIS REPORT
#22574627

Process Name Commandline Verdict

sppextcomobj.exe "C:\ProgramData\Documents_2\Videos_3\SppExtComObj.exe" SUSPICIOUS

"powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:

powershell.exe CLEAN
\Users\Public') -ExclusionExtension '.exe' -Force"

wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding CLEAN

cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" CLEAN

wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding CLEAN

wusa.exe wusa /uninstall /kb:890830 /quiet /norestart CLEAN

cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" CLEAN

"cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t

cmd.exe CLEAN
REG_DWORD /d 1 /f"

svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN

reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /

reg.exe CLEAN
d 1 /f

X-Ray Vision for Malware - www.vmray.com 42 / 45

DYNAMIC ANALYSIS REPORT
#22574627

YARA / AV
YARA (6)

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Malware Lumma_v4_May2024 Lumma Stealer version 4 Memory Dump - Spyware 5/5

X-Ray Vision for Malware - www.vmray.com 43 / 45

DYNAMIC ANALYSIS REPORT
#22574627

ENVIRONMENT
Virtual Machine Information

Name win10_64_th2_en_mso2016

Description windows 10 (64bit TH2 -EN- MSO_2016)

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Platform Information

Platform Version 2024.4.1

Dynamic Engine Version 2024.4.1 / 10/11/2024 04:23

Static Engine Version 2024.4.1.0 / 2024-10-11 03:00:22

AV Exceptions Version 2024.4.1.3 / 2024-08-31 15:08:44

Link Detonation Heuristics Version 2024.4.1.12 / 2024-09-19 15:05:45

Smart Memory Dumping Rules

2024.4.1.3 / 2024-08-31 15:08:44
Version

Config Extractors Version 2024.4.1.14 / 2024-10-04 09:31:54

Signature Trust Store Version 2024.4.1.3 / 2024-08-31 15:08:44

VMRay Threat Identifiers Version 2024.4.1.15 / 2024-10-10 13:46:22

YARA Built-in Ruleset Version 2024.4.1.14

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1001

Hangul Office Not installed

Hangul Office Version Not installed

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version 8.0.1710.11

System Information

Sample Directory C:\Users\RDhJ0CNFevzX\Desktop

Computer Name XC64ZB

User Domain XC64ZB

User Name RDhJ0CNFevzX

User Profile C:\Users\RDhJ0CNFevzX

Temp Directory C:\Users\RDHJ0C~1\AppData\Local\Temp

X-Ray Vision for Malware - www.vmray.com 44 / 45

DYNAMIC ANALYSIS REPORT
#22574627

System Root C:\Windows

X-Ray Vision for Malware - www.vmray.com 45 / 45

COMMUNICATION Skills 1
No ratings yet
COMMUNICATION Skills 1
232 pages
Simple Humanoid Walking and Dancing Robot Arduino
100% (1)
Simple Humanoid Walking and Dancing Robot Arduino
12 pages
Itt593 Forensic Group Assignment
No ratings yet
Itt593 Forensic Group Assignment
8 pages
Ipv6 Allocation Policy and Procedure: Global Ipv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan
No ratings yet
Ipv6 Allocation Policy and Procedure: Global Ipv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan
433 pages
? Malware Analysis Report
No ratings yet
? Malware Analysis Report
16 pages
Intrusion Detection Systems
No ratings yet
Intrusion Detection Systems
53 pages
Process List
No ratings yet
Process List
3 pages
Windows - Forensics Building Lab and Essential Investigation
No ratings yet
Windows - Forensics Building Lab and Essential Investigation
238 pages
Scanreport
No ratings yet
Scanreport
184 pages
Practical Malware Analysis
No ratings yet
Practical Malware Analysis
45 pages
Socks4 Proxies
No ratings yet
Socks4 Proxies
39 pages
Report Compressed
No ratings yet
Report Compressed
74 pages
Detect Malware W Memory Forensics
100% (1)
Detect Malware W Memory Forensics
27 pages
Brochure Advia 2120I
No ratings yet
Brochure Advia 2120I
2 pages
Coa Lab File
No ratings yet
Coa Lab File
75 pages
Tips For Mainframe Programmers
No ratings yet
Tips For Mainframe Programmers
101 pages
Akamai Technologies Case: by Thomas R. Eisenmann
No ratings yet
Akamai Technologies Case: by Thomas R. Eisenmann
8 pages
Report
No ratings yet
Report
34 pages
Report TreatGrid
No ratings yet
Report TreatGrid
201 pages
Introduction To Matlabm
No ratings yet
Introduction To Matlabm
56 pages
Cyber Data Collection Via Analysis & Intelligence
No ratings yet
Cyber Data Collection Via Analysis & Intelligence
44 pages
SAMSUNG QMF 85 Inch Professional Display SMART Signage - Data Sheet
No ratings yet
SAMSUNG QMF 85 Inch Professional Display SMART Signage - Data Sheet
8 pages
Scanning Report 01 December 2010 00:30:30 - 01:11:02: Result: 36 Malware Found
No ratings yet
Scanning Report 01 December 2010 00:30:30 - 01:11:02: Result: 36 Malware Found
27 pages
SANS
No ratings yet
SANS
2 pages
Data Scanning Devices: GC University, Lahore Department of Computer Science Report Template B.A/B.Sc (Hons) 2 Semester
No ratings yet
Data Scanning Devices: GC University, Lahore Department of Computer Science Report Template B.A/B.Sc (Hons) 2 Semester
7 pages
Livehunt Cheatsheet
No ratings yet
Livehunt Cheatsheet
3 pages
Enterprise Resource Planning (Department Elective) : BE IT - 2019-20 Sample Question Paper For Final Exam
No ratings yet
Enterprise Resource Planning (Department Elective) : BE IT - 2019-20 Sample Question Paper For Final Exam
8 pages
Heba Compiler Design Book - 2025
No ratings yet
Heba Compiler Design Book - 2025
133 pages
Budget of Work (Bow) in Mathematics
No ratings yet
Budget of Work (Bow) in Mathematics
6 pages
Why FR1 Over FR2
No ratings yet
Why FR1 Over FR2
4 pages
Adspower Script
No ratings yet
Adspower Script
3 pages
Memory Forensics Cheat Sheet v1
No ratings yet
Memory Forensics Cheat Sheet v1
2 pages
SuccessFactors With Microsoft 365
No ratings yet
SuccessFactors With Microsoft 365
41 pages
Algo Book
No ratings yet
Algo Book
368 pages
Rich Client Interface Guide
No ratings yet
Rich Client Interface Guide
357 pages
Pipex: Summary: This Project Is The Discovery in Detail and by Programming of A UNIX Mechanism That You Already Know
No ratings yet
Pipex: Summary: This Project Is The Discovery in Detail and by Programming of A UNIX Mechanism That You Already Know
8 pages
Malware Report
No ratings yet
Malware Report
26 pages
B&66
No ratings yet
B&66
9 pages
Malware DynamicAnalysis 1
No ratings yet
Malware DynamicAnalysis 1
31 pages
Malware Analysis
No ratings yet
Malware Analysis
45 pages
2022-12-21 122733 Sdklog
No ratings yet
2022-12-21 122733 Sdklog
2 pages
Lab 10 210309
No ratings yet
Lab 10 210309
5 pages
The Art of Mac Malware, Volume 1: The Guide to Analyzing Malicious Software
From Everand
The Art of Mac Malware, Volume 1: The Guide to Analyzing Malicious Software
Patrick Wardle
4/5 (1)
Internship Letter of SAP
No ratings yet
Internship Letter of SAP
7 pages
AI-Driven Approaches For Autonomous Vehicle Fleet Coordination and Routing
No ratings yet
AI-Driven Approaches For Autonomous Vehicle Fleet Coordination and Routing
22 pages
CF Unit 2
No ratings yet
CF Unit 2
21 pages
RAJU
No ratings yet
RAJU
25 pages
Volatility Commands For Basic Malware Analysis
No ratings yet
Volatility Commands For Basic Malware Analysis
6 pages
Global Verdict Report
No ratings yet
Global Verdict Report
8 pages
Automated in Memory Malware Rootkit Detection Via Binary Analysis and Machine Learning (Slides)
No ratings yet
Automated in Memory Malware Rootkit Detection Via Binary Analysis and Machine Learning (Slides)
111 pages
Memory Forensics
100% (1)
Memory Forensics
70 pages
Thet Op10windowslogseventidsusedv
No ratings yet
Thet Op10windowslogseventidsusedv
62 pages
Incident Response and Digital Forensics
No ratings yet
Incident Response and Digital Forensics
50 pages
Taking Advantage of PE Metadata
No ratings yet
Taking Advantage of PE Metadata
9 pages
Global Verdict Report 4
No ratings yet
Global Verdict Report 4
35 pages
Malware Analysis Checklist
No ratings yet
Malware Analysis Checklist
7 pages
Practical Malware Analysis
No ratings yet
Practical Malware Analysis
45 pages
Antivirus Artifacts 2
No ratings yet
Antivirus Artifacts 2
27 pages
ch2 3
No ratings yet
ch2 3
45 pages
SS Guide - by Specially
No ratings yet
SS Guide - by Specially
11 pages
Jackcr Forensic Challenge Report - Ver2-20121202-BN
No ratings yet
Jackcr Forensic Challenge Report - Ver2-20121202-BN
29 pages
(Part2) Malware Incident Response Dynamic Analysis - 1
No ratings yet
(Part2) Malware Incident Response Dynamic Analysis - 1
31 pages
Xset 1
No ratings yet
Xset 1
6 pages
ch2 3
No ratings yet
ch2 3
45 pages
Dynamic Questions
No ratings yet
Dynamic Questions
1 page
Module 06 - Windows Forensics-1
No ratings yet
Module 06 - Windows Forensics-1
59 pages
Rema 142
No ratings yet
Rema 142
8 pages
APT HUNTER For Abnormalities
No ratings yet
APT HUNTER For Abnormalities
36 pages
Task 3.0
No ratings yet
Task 3.0
33 pages
Malware Analysis
100% (1)
Malware Analysis
4 pages
Otl
No ratings yet
Otl
18 pages
Forensics - 19. Volatility
No ratings yet
Forensics - 19. Volatility
4 pages
Tutorial Letter 101 - Version (20240201)
No ratings yet
Tutorial Letter 101 - Version (20240201)
18 pages
Server Resource Kit Tools
No ratings yet
Server Resource Kit Tools
14 pages
Tilbury ISSA 2013
No ratings yet
Tilbury ISSA 2013
36 pages
SANS Memory Forensics CheatSheet 3.0
No ratings yet
SANS Memory Forensics CheatSheet 3.0
2 pages
Module 4
No ratings yet
Module 4
68 pages
CYS 27214 - Tutorial - 2
No ratings yet
CYS 27214 - Tutorial - 2
17 pages
E Commerce
No ratings yet
E Commerce
18 pages
This Is The Fastest Way To Hunt Windows Endpoints PDF
No ratings yet
This Is The Fastest Way To Hunt Windows Endpoints PDF
31 pages
Project
No ratings yet
Project
20 pages
Command Is Compulsory, Additional As Specified in Table Total 8 Example
No ratings yet
Command Is Compulsory, Additional As Specified in Table Total 8 Example
8 pages
Windows Forensics
No ratings yet
Windows Forensics
1 page
New - Lab Manual 4 - Malware Hunting - Updated2022 - V2
No ratings yet
New - Lab Manual 4 - Malware Hunting - Updated2022 - V2
14 pages
Projectt
No ratings yet
Projectt
6 pages
Yash Darole DF 5
No ratings yet
Yash Darole DF 5
7 pages
Avira AntiVir Personal
No ratings yet
Avira AntiVir Personal
7 pages
CH1 - Introduction To Malware Analysis-V1
No ratings yet
CH1 - Introduction To Malware Analysis-V1
23 pages
ISO 7886-3 2005 (E) - Character PDF Document
No ratings yet
ISO 7886-3 2005 (E) - Character PDF Document
4 pages
Kaspersky security center
From Everand
Kaspersky security center
Mohammed Haytham Khabbaz samkary
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.