Download PDF Report

DYNAMIC ANALYSIS REPORT #6780270

Classifications: Spyware

Lokibot Mal/HTMLGen-A Trojan.PWS.ZKD MALICIOUS Threat Names: Gen:Variant.Fugrafa.31802 Gen:Variant.Razy.762033

Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name faa648a8_K9kSnJA_tF.exe

ID #2567952

MD5 faa648a8568e4627e7edc78099d087b5

SHA1 cfd6a3dca64f42f8bb5c3a4e9d7b9cab4d78e177

SHA256 611b569440a6daaf92be62a1958366eb772bd62b7bc2f20893870808e0d5a277

File Size 698.61 KB

Report Created 2021-08-03 13:34 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 22 DYNAMIC ANALYSIS REPORT #6780270

OVERVIEW

VMRay Threat Identifiers (21 rules, 62 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 3 Spyware

• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #1) faa648a8_k9ksnja_tf.exe.

• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #2) faa648a8_k9ksnja_tf.exe.

• Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #2) faa648a8_k9ksnja_tf.exe.

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: Bitvise SSH Client, QtWeb Internet Browser, NCH Fling, WinChips, Pocomail, SecureFX, Pidgin, PuTT...... osoft Outlook, FileZilla, Internet Explorer, IncrediMail, NCH Classic FTP, Internet Explorer / Edge, KiTTY, FAR Manager, BlazeFTP.

4/5 Antivirus Malicious content was detected by heuristic scan 3 -

• Built-in AV detected a memory dump of (process #1) faa648a8_k9ksnja_tf.exe as "Trojan.PWS.ZKD".

• Built-in AV detected a memory dump of (process #2) faa648a8_k9ksnja_tf.exe as "Gen:Variant.Fugrafa.31802".

• Built-in AV detected a memory dump of (process #2) faa648a8_k9ksnja_tf.exe as "Gen:Variant.Razy.762033".

4/5 Reputation Contacts known malicious URL 1 -

• Reputation analysis labels the URL "http://185.227.139.18/dsaicosaicasdi.php/j572NMRHsdmec" which was contacted by (process #2) faa648a8_k9ksnja_tf.exe as "Mal/HTMLGen-A".

3/5 Discovery Reads installed applications 1 Spyware

• Reads installed programs by enumerating the SOFTWARE registry key.

2/5 Data Collection Reads sensitive browser data 4 -

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.

2/5 Data Collection Reads sensitive application data 5 -

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "Pidgin" by file.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "Bitvise SSH Client" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "KiTTY" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "PuTTY" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "WinChips" by registry.

2/5 Data Collection Reads sensitive ftp data 10 -

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "LinasFTP" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "FileZilla" by file.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "BlazeFTP" by file.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "Total Commander" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "FAR Manager" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "SecureFX" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "NCH Fling" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "FTP Navigator" by file.

X-Ray Vision for Malware - www.vmray.com 2 / 22 DYNAMIC ANALYSIS REPORT #6780270

Score Category Operation Count Classification

2/5 Data Collection Reads sensitive mail data 5 -

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Pocomail" by file.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "IncrediMail" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Opera Mail" by file.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Trojita" by registry.

2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -

• (Process #1) faa648a8_k9ksnja_tf.exe modifies memory of (process #2) faa648a8_k9ksnja_tf.exe.

2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -

• (Process #1) faa648a8_k9ksnja_tf.exe alters context of (process #2) faa648a8_k9ksnja_tf.exe.

2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 5 -

• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtUnmapViewOfSection".

• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtCreateSection".

• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtMapViewOfSection".

• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtWriteVirtualMemory".

• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtResumeThread".

1/5 Hide Tracks Creates process with hidden window 1 -

• (Process #1) faa648a8_k9ksnja_tf.exe starts (process #2) faa648a8_k9ksnja_tf.exe with a hidden window.

1/5 Obfuscation Reads from memory of another process 1 -

• (Process #1) faa648a8_k9ksnja_tf.exe reads from (process #2) faa648a8_k9ksnja_tf.exe.

1/5 Discovery Reads system data 1 -

• (Process #2) faa648a8_k9ksnja_tf.exe reads the cryptographic machine GUID from registry.

1/5 Mutex Creates mutex 1 -

• (Process #2) faa648a8_k9ksnja_tf.exe creates mutex with name "B7274519EDDE9BDC8AE51348".

1/5 Discovery Possibly does reconnaissance 13 -

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Comodo IceDragon" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Safari" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "K-Meleon" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Mozilla SeaMonkey" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Mozilla Flock" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Cyberfox" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Total Commander" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "NetScape" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Default Programs" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Bitvise SSH Client" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "SecureFX" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Postbox" by registry.

• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Trojita" by registry.

1/5 Privilege Escalation Enables process privilege 1 -

X-Ray Vision for Malware - www.vmray.com 3 / 22 DYNAMIC ANALYSIS REPORT #6780270

Score Category Operation Count Classification

• (Process #2) faa648a8_k9ksnja_tf.exe enables process privilege "SeDebugPrivilege".

1/5 Network Connection Performs DNS request 2 -

• (Process #2) faa648a8_k9ksnja_tf.exe resolves host name "185.227.139.18" to IP "185.227.139.18".

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #2) faa648a8_k9ksnja_tf.exe resolves host name " 97 8B 8B 8F åððîçêñííèñîìæñîçð 9B 8C 9E 96 9C 90 8C 9E 96 9C 9E 8C 9B 96 ñð8F 97êèí±8F 95 ²· 8C 9B 92 9A 9C " to IP "-".

1/5 Network Connection Connects to remote host 1 -

• (Process #2) faa648a8_k9ksnja_tf.exe opens an outgoing TCP connection to host "185.227.139.18:80".

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #1) faa648a8_k9ksnja_tf.exe resolves 41 API functions by name.

- Trusted Known clean file 2 -

• File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file.

• File "c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f- c90408af5778" is a known clean file.

X-Ray Vision for Malware - www.vmray.com 4 / 22 DYNAMIC ANALYSIS REPORT #6780270

Mitre ATT&CK Matrix

Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control

#T1082 #T1214 #T1119 #T1143 Hidden System Credentials in Automated Window Information Registry Collection Discovery #T1045 #T1003 #T1005 Data #T1012 Query Software Credential from Local Registry Packing Dumping System #T1217 #T1081 Browser Credentials in Bookmark Files Discovery #T1083 File and Directory Discovery

X-Ray Vision for Malware - www.vmray.com 5 / 22 DYNAMIC ANALYSIS REPORT #6780270

Sample Information

ID #2567952

MD5 faa648a8568e4627e7edc78099d087b5

SHA1 cfd6a3dca64f42f8bb5c3a4e9d7b9cab4d78e177

SHA256 611b569440a6daaf92be62a1958366eb772bd62b7bc2f20893870808e0d5a277

SSDeep 12288:R1Wl8TpYMxskWv6rfIYJ3dqbTeU77xkU7d3:RAGF0yhtqHx77xkUV

ImpHash 49be0836dac021f86af2cb207b4613c8

File Name faa648a8_K9kSnJA_tF.exe

File Size 698.61 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-08-03 13:34 (UTC+2)

Analysis Duration 00:01:18

Termination Reason All processes terminated

Number of Monitored Processes 2

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 28

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 27

X-Ray Vision for Malware - www.vmray.com 6 / 22 DYNAMIC ANALYSIS REPORT #6780270

X-Ray Vision for Malware - www.vmray.com 7 / 22 DYNAMIC ANALYSIS REPORT #6780270

Screenshots truncated

X-Ray Vision for Malware - www.vmray.com 8 / 22 DYNAMIC ANALYSIS REPORT #6780270

NETWORK

General

2.33 KB total sent

44.20 KB total received

1 ports 80

2 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

4 DNS requests for 2 domains

1 nameservers contacted

1 total requests returned errors

HTTP/S

1 URLs contacted, 1 servers

3 sessions, 1.88 KB sent, 40.23 KB received

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

POST http://185.227.139.18/dsaicosaicasdi.php/j572NMRHsdmec - - 0 bytes NA

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

- 185.227.139.18 - 185.227.139.18 NA

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 8B 8B 8F åððîçêñííèñîìæñîçð9B 8C 9E 96 9C 90 8C 9E 96 9C 9E 8C 9B 96 ñð8F 97 8F - 00 00 00 00 00 00 - NA 95 êèí±²· 8C 9B 92 9A 9C

X-Ray Vision for Malware - www.vmray.com 9 / 22 DYNAMIC ANALYSIS REPORT #6780270

BEHAVIOR

Process Graph

Modify Memory #1 Modify Control Flow #2 Sample Start faa648a8_k9ksnja_tf.exe Child Process faa648a8_k9ksnja_tf.exe

X-Ray Vision for Malware - www.vmray.com 10 / 22 DYNAMIC ANALYSIS REPORT #6780270

Process #1: faa648a8_k9ksnja_tf.exe

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\faa648a8_k9ksnja_tf.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 92344, Reason: Analysis Target

Unmonitor End Time End Time: 125508, Reason: Terminated

Monitor duration 33.16s

Return Code 0

PID 1796

Parent PID 1604

Bitness 32 Bit

Host Behavior

Type Count

Module 66

File 27

Environment 1

Process 1

- 3

- 2

X-Ray Vision for Malware - www.vmray.com 11 / 22 DYNAMIC ANALYSIS REPORT #6780270

Process #2: faa648a8_k9ksnja_tf.exe

ID 2

File Name c:\users\rdhj0cnfevzx\desktop\faa648a8_k9ksnja_tf.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 113190, Reason: Child Process

Unmonitor End Time End Time: 160403, Reason: Terminated

Monitor duration 47.21s

Return Code 3221225477

PID 1464

Parent PID 1796

Bitness 32 Bit

Injection Information (3)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x6d8 0x400000(4194304) 0xa2000 1 \faa648a8_k9ksnja_tf.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x6d8 0x3db008(4042760) 0x4 1 \faa648a8_k9ksnja_tf.exe

#1: c: Modify Control Flow \users\rdhj0cnfevzx\desktop 0x6d8 / 0x164 0x77568fe0(2002161632) - 1 \faa648a8_k9ksnja_tf.exe

Dropped Files (5)

File Name File Size SHA256 YARA Match

e641ff8107a4197ded9f558d1891e716811e9a7f109f14e876f5a8394844d - 53 bytes c34

859ffdca62ee0971821a4b2dedfc023d0f9a021391b5ac336ddb49d53d28 C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb 4 bytes 330e

6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck 1 bytes 4b

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852 C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe 0 bytes b855

353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785 - 53 bytes b50

Host Behavior

Type Count

Module 1062

Registry 181

Mutex 1

File 296

System 32

User 10

Network Behavior

Type Count

HTTP 3

X-Ray Vision for Malware - www.vmray.com 12 / 22 DYNAMIC ANALYSIS REPORT #6780270

Type Count

DNS 4

TCP 4

X-Ray Vision for Malware - www.vmray.com 13 / 22 DYNAMIC ANALYSIS REPORT #6780270

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

C: 611b569440a6daaf92be62a1 \Users\RDhJ0CNFevzX\Desktop\faa6 application/ 958366eb772bd62b7bc2f208 48a8_k9ksnja_tf.exe, C: Sample File 698.61 KB vnd.microsoft.portable- Read, Delete, Access MALICIOUS 93870808e0d5a277 \Users\RDhJ0CNFevzX\Desktop\faa6 executable 48a8_K9kSnJA_tF.exe

c: \users\rdhj0cnfevzx\appdata\roaming\ e641ff8107a4197ded9f558d1 microsoft\crypto\rsa\s-1-5-21-156025 891e716811e9a7f109f14e87 8661-3990802383-1811730007-1000\3 Dropped File 53 bytes application/octet-stream - CLEAN 6f5a8394844dc34 d3578a85286f88c6cd9d151e4412949_ 03845cb8-7441-4a2f-8c0f- c90408af5778

859ffdca62ee0971821a4b2d C: Create, Write, Delete, edfc023d0f9a021391b5ac33 \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 4 bytes text/plain CLEAN Access 6ddb49d53d28330e aming\9EDDE9\9BDC8A.hdb

6b86b273ff34fce19d6b804eff C: Create, Write, Delete, 5a3f5747ada4eaa22f1d49c0 \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 1 bytes application/octet-stream CLEAN Access 1e52ddb7875b4b aming\9EDDE9\9BDC8A.lck

c: \users\rdhj0cnfevzx\appdata\roaming\ 353fd628b7f6e7d426e5d6a2 microsoft\crypto\rsa\s-1-5-21-156025 7d1bc3ac22fa7f812e7594cf2 8661-3990802383-1811730007-1000\3 Dropped File 53 bytes application/octet-stream - CLEAN ec5ca1175785b50 d3578a85286f88c6cd9d151e4412949_ 03845cb8-7441-4a2f-8c0f- c90408af5778

Filename

File Name Category Operations Verdict

C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe Sample File Read, Access CLEAN

C:\Windows\SYSTEM32\ntdll.dll Accessed File Read, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9 Accessed File Create, Access CLEAN

Create, Write, Delete, C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb Dropped File CLEAN Access

Create, Write, Delete, C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck Dropped File CLEAN Access

C: \Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Credentials\DFBE Accessed File Read, Access CLEAN 70A7E5CC19A398EBF1B96859CE5D

C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_k9ksnja_tf.exe Sample File Delete, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe Accessed File Create, Write, Access CLEAN

URL

URL Category IP Address Country HTTP Methods Verdict

http://185.227.139.18/dsaicosaicasdi.php/ - 185.227.139.18 - POST MALICIOUS j572NMRHsdmec

Domain

Domain IP Address Country Protocols Verdict

185.227.139.18 185.227.139.18 - HTTP, DNS CLEAN

IP Address Domains Country Protocols Verdict

192.168.0.1 - - DNS, UDP CLEAN

185.227.139.18 - United States TCP, HTTP, DNS CLEAN

X-Ray Vision for Malware - www.vmray.com 14 / 22 DYNAMIC ANALYSIS REPORT #6780270

Mutex

Name Operations Parent Process Name Verdict

B7274519EDDE9BDC8AE51348 access faa648a8_k9ksnja_tf.exe CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Ma read, access faa648a8_k9ksnja_tf.exe CLEAN chineGuid

HKEY_LOCAL_MACHINE read, access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\S read, access faa648a8_k9ksnja_tf.exe CLEAN etup\SetupPath

HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc. read, access faa648a8_k9ksnja_tf.exe CLEAN \Safari\InstallDir

HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon\CurrentVersion read, access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey\Cur read, access faa648a8_k9ksnja_tf.exe CLEAN rentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Current read, access faa648a8_k9ksnja_tf.exe CLEAN Version

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock\CurrentVersi read, access faa648a8_k9ksnja_tf.exe CLEAN on

HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet access faa648a8_k9ksnja_tf.exe CLEAN Browser\AutoComplete

HKEY_CURRENT_USER\Software\Microsoft\Internet access faa648a8_k9ksnja_tf.exe CLEAN Explorer\IntelliForms\Storage2

HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86\R read, access faa648a8_k9ksnja_tf.exe CLEAN ootDir

HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox\Path read, access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale read, access faa648a8_k9ksnja_tf.exe CLEAN Moon\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox\CurrentVe read, access faa648a8_k9ksnja_tf.exe CLEAN rsion

HKEY_CURRENT_USER\Software\LinasFTP\Site Manager access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings\La read, access faa648a8_k9ksnja_tf.exe CLEAN stPassword

HKEY_CURRENT_USER\Software\Ghisler\Total read, access faa648a8_k9ksnja_tf.exe CLEAN Commander\FtpIniName

HKEY_CURRENT_USER\Software access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\AppDataLow access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\IM Providers access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Netscape access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\ODBC access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Policies access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\RegisteredApplications access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Wow6432Node access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Classes access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts access faa648a8_k9ksnja_tf.exe CLEAN

X-Ray Vision for Malware - www.vmray.com 15 / 22 DYNAMIC ANALYSIS REPORT #6780270

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Bitvise\BvSshClient\LastUsedPr read, access faa648a8_k9ksnja_tf.exe CLEAN ofile

HKEY_CURRENT_USER\Software\VanDyke\SecureFX\Config Path read, access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\Software\NCH access faa648a8_k9ksnja_tf.exe CLEAN Software\ClassicFTP\FTPAccounts

HKEY_CURRENT_USER\Software\NCH access faa648a8_k9ksnja_tf.exe CLEAN Software\ClassicFTP\FTPAccounts

HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla read, access faa648a8_k9ksnja_tf.exe CLEAN Thunderbird\CurrentVersion

HKEY_CURRENT_USER\Software\IncrediMail\Identities access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Martin Prikryl access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Martin Prikryl access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox\CurrentVe read, access faa648a8_k9ksnja_tf.exe CLEAN rsion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail\Current read, access faa648a8_k9ksnja_tf.exe CLEAN Version

HKEY_CURRENT_USER\Software\WinChips\UserAccounts access faa648a8_k9ksnja_tf.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Windows access faa648a8_k9ksnja_tf.exe CLEAN NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\0a0d020000000000c000000000000046

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\0a0d020000000000c000000000000046\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\2db91c5fd8470d46b1a5bc5efab4cae7

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\2db91c5fd8470d46b1a5bc5efab4cae7\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\3517490d76624c419a828607e2a54604

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\3517490d76624c419a828607e2a54604\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\6c29d51f56390b45a924b3b787013a66

X-Ray Vision for Malware - www.vmray.com 16 / 22 DYNAMIC ANALYSIS REPORT #6780270

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\6c29d51f56390b45a924b3b787013a66\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8503020000000000c000000000000046

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8503020000000000c000000000000046\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8763203907727d498bce4b981b157d7b

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8763203907727d498bce4b981b157d7b\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\893893ade607c44aa338ac7df5d6cb42

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\893893ade607c44aa338ac7df5d6cb42\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9207f3e0a3b11019908b08002b2a56c2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Em read, access faa648a8_k9ksnja_tf.exe CLEAN ail

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Em read, access faa648a8_k9ksnja_tf.exe CLEAN ail

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Email Address

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Server

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP User Name

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP User

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Server

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 User Name

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 User

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Email Address

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP User Name

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Server

X-Ray Vision for Malware - www.vmray.com 17 / 22 DYNAMIC ANALYSIS REPORT #6780270

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Server

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P User Name

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P User

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TP User

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TP Server URL

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TPMail User Name

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TPMail Server

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Port

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Port

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Port

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Password2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Password2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TPMail Password2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Em read, access faa648a8_k9ksnja_tf.exe CLEAN ail

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\dc48e7c6d33441458035ee20beefe18a

X-Ray Vision for Malware - www.vmray.com 18 / 22 DYNAMIC ANALYSIS REPORT #6780270

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\dc48e7c6d33441458035ee20beefe18a\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\e57f6d0b27b6134693ca7113a4ab34a6

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\e57f6d0b27b6134693ca7113a4ab34a6\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f35c115766b7c94cb080da6869ae8f9d

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f35c115766b7c94cb080da6869ae8f9d\Email

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f86ed2903a4a11cfb57e524153480001

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email

HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita\imap.auth.p read, access faa648a8_k9ksnja_tf.exe CLEAN ass

HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita\msa.smtp.a read, access faa648a8_k9ksnja_tf.exe CLEAN uth.pass

HKEY_LOCAL_MACHINE\�� Л��я��Е��ͱ�� write, access faa648a8_k9ksnja_tf.exe CLEAN ��\9EDDE9

Process

Process Name Commandline Verdict

faa648a8_k9ksnja_tf.exe "C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe" MALICIOUS

X-Ray Vision for Malware - www.vmray.com 19 / 22 DYNAMIC ANALYSIS REPORT #6780270

YARA / AV

YARA (27)

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Function Strings function_strings_process_2.txt Spyware 5/5

Antivirus (28)

File Type Threat Name File Name Verdict

Memory Dump Trojan.PWS.ZKD - MALICIOUS

Memory Dump Gen:Variant.Fugrafa.31802 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 20 / 22 DYNAMIC ANALYSIS REPORT #6780270

File Type Threat Name File Name Verdict

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 21 / 22 DYNAMIC ANALYSIS REPORT #6780270

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release 2021-08-03 08:18:08+00:00 Date

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40

YARA Built-in Ruleset Version 4.2.2.32

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 22 / 22