MALICIOUS Threat Names: Generic.Andromeda.6165138E Gen:Variant.Razy.762033

DYNAMIC ANALYSIS REPORT #1173563

Classifications: Spyware

Lokibot Mal/HTMLGen-A Trojan.GenericKD.36738116 MALICIOUS Threat Names: Generic.Andromeda.6165138E Gen:Variant.Razy.762033

Verdict Reason: -

Sample Type Windows Exe (x86-32)

Sample Name winlog.exe

ID #385568

MD5 36dff976427ac27d7fb7294960ac4092

SHA1 5b199fd080c210915c6b3c6cdb7ed8d8db119e91

SHA256 5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072

File Size 280.00 KB

Report Created 2021-04-19 18:49 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 18 DYNAMIC ANALYSIS REPORT #1173563

OVERVIEW

VMRay Threat Identifiers (18 rules, 54 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 2 Spyware

• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #1) winlog.exe.

• Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #1) winlog.exe.

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: NCH Classic FTP, FileZilla, Bitvise SSH Client, Opera Mail, NCH Fling, PuTTY, Microsoft Outlook, IncrediMail, KiTTY, WinChips, Pidgin, SecureFX, Internet Explorer / Edge, Pocomail, FTP Navigator, FAR Manager, Total Commander, QtWeb Internet Browser, Trojita, Internet Explorer, BlazeFTP, LinasFTP.

4/5 Reputation Contacts known malicious URL 1 -

• Reputation analysis labels the URL "http://eyecos.ga/kung/gate.php" which was contacted by (process #1) winlog.exe as "Mal/HTMLGen-A".

4/5 Reputation Resolves known malicious domain 1 -

• Reputation analysis labels the resolved domain "eyecos.ga" as "Mal/HTMLGen-A".

4/5 Antivirus Malicious content was detected by heuristic scan 3 -

• Built-in AV detected the sample itself as "Trojan.GenericKD.36738116".

• Built-in AV detected a memory dump of (process #1) winlog.exe as "Generic.Andromeda.6165138E".

• Built-in AV detected a memory dump of (process #1) winlog.exe as "Gen:Variant.Razy.762033".

3/5 Discovery Reads installed applications 1 Spyware

• Reads installed programs by enumerating the SOFTWARE registry key.

2/5 Data Collection Reads sensitive browser data 4 -

• (Process #1) winlog.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.

• (Process #1) winlog.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #1) winlog.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.

• (Process #1) winlog.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.

2/5 Data Collection Reads sensitive application data 5 -

• (Process #1) winlog.exe tries to read sensitive data of application "Pidgin" by file.

• (Process #1) winlog.exe tries to read sensitive data of application "Bitvise SSH Client" by registry.

• (Process #1) winlog.exe tries to read sensitive data of application "KiTTY" by registry.

• (Process #1) winlog.exe tries to read sensitive data of application "PuTTY" by registry.

• (Process #1) winlog.exe tries to read sensitive data of application "WinChips" by registry.

2/5 Data Collection Reads sensitive ftp data 10 -

X-Ray Vision for Malware - www.vmray.com 2 / 18 DYNAMIC ANALYSIS REPORT #1173563

• (Process #1) winlog.exe tries to read sensitive data of ftp application "LinasFTP" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "FileZilla" by file.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "BlazeFTP" by file.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "Total Commander" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "FAR Manager" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "SecureFX" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "NCH Fling" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.

• (Process #1) winlog.exe tries to read sensitive data of ftp application "FTP Navigator" by file.

2/5 Data Collection Reads sensitive mail data 5 -

• (Process #1) winlog.exe tries to read sensitive data of mail application "Pocomail" by file.

• (Process #1) winlog.exe tries to read sensitive data of mail application "IncrediMail" by registry.

• (Process #1) winlog.exe tries to read sensitive data of mail application "Opera Mail" by file.

• (Process #1) winlog.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

• (Process #1) winlog.exe tries to read sensitive data of mail application "Trojita" by registry.

2/5 Anti Analysis Delays execution 1 -

• (Process #1) winlog.exe has a thread which sleeps more than 5 minutes.

1/5 Discovery Reads system data 1 -

• (Process #1) winlog.exe reads the cryptographic machine GUID from registry.

1/5 Mutex Creates mutex 1 -

• (Process #1) winlog.exe creates mutex with name "B7274519EDDE9BDC8AE51348".

1/5 Discovery Possibly does reconnaissance 13 -

• (Process #1) winlog.exe tries to gather information about application "Mozilla Firefox" by registry.

• (Process #1) winlog.exe tries to gather information about application "Comodo IceDragon" by registry.

• (Process #1) winlog.exe tries to gather information about application "Safari" by registry.

• (Process #1) winlog.exe tries to gather information about application "K-Meleon" by registry.

• (Process #1) winlog.exe tries to gather information about application "Mozilla SeaMonkey" by registry.

• (Process #1) winlog.exe tries to gather information about application "Mozilla Flock" by registry.

• (Process #1) winlog.exe tries to gather information about application "Cyberfox" by registry.

• (Process #1) winlog.exe tries to gather information about application "Total Commander" by registry.

• (Process #1) winlog.exe tries to gather information about application "Default Programs" by registry.

• (Process #1) winlog.exe tries to gather information about application "Bitvise SSH Client" by registry.

• (Process #1) winlog.exe tries to gather information about application "SecureFX" by registry.

• (Process #1) winlog.exe tries to gather information about application "Postbox" by registry.

• (Process #1) winlog.exe tries to gather information about application "Trojita" by registry.

1/5 Privilege Escalation Enables process privilege 1 -

• (Process #1) winlog.exe enables process privilege "SeDebugPrivilege".

1/5 Network Connection Performs DNS request 2 -

• (Process #1) winlog.exe resolves host name "eyecos.ga" to IP "35.247.234.230".

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #1) winlog.exe resolves host name " 97 8B 8B 8F åððñ9Að86ð9Añ9C 90 8C " 98to9E IP94 "-".8A 91 98 98 9E 8B 9A 8F 97 8F

1/5 Network Connection Connects to remote host 1 -

• (Process #1) winlog.exe opens an outgoing TCP connection to host "35.247.234.230:80".

X-Ray Vision for Malware - www.vmray.com 3 / 18 DYNAMIC ANALYSIS REPORT #1173563

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #1) winlog.exe resolves 46 API functions by name.

- Trusted Known clean file 2 -

• File "C:\Users\gsanders\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file.

• File "c: \users\gsanders\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1001\0a0eb714d9b6ebd0c6a49a4945de26ad_03845cb8-7441-4a2f-8c 0f-c90408af5778" is a known clean file.

Remarks

Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "2 hours, 51 minutes" to "20 seconds" to reveal dormant functionality.

X-Ray Vision for Malware - www.vmray.com 4 / 18 DYNAMIC ANALYSIS REPORT #1173563

Mitre ATT&CK Matrix

Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control

#T1082 System ------Information Discovery

#T1012 ------Query - - - - - Registry

#T1119 ------Automated - - - Collection

#T1214 - - - - - Credentials ------in Registry

#T1005 Data ------from Local - - - System

#T1217 Browser ------Bookmark Discovery

#T1003 - - - - - Credential ------Dumping

#T1081 - - - - - Credentials ------in Files

#T1083 File and ------Directory Discovery

#T1045 - - - - Software ------Packing

X-Ray Vision for Malware - www.vmray.com 5 / 18 DYNAMIC ANALYSIS REPORT #1173563

Sample Information

ID 1173563

MD5 36dff976427ac27d7fb7294960ac4092

SHA1 5b199fd080c210915c6b3c6cdb7ed8d8db119e91

SHA256 5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072

SSDeep 6144:1WkL1Ys1HIRcZbLCaD0YGUaoFP3eNoG0Q+kRuIhbl:4kf1HjnDxasvuT7uul

ImpHash 0c1de0d2a8383c4df108890e036a0ae1

Filename winlog.exe

File Size 280.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-04-19 18:49 (UTC+2)

Analysis Duration 00:03:51

Termination Reason Timeout

Number of Monitored Processes 1

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 17

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 16

X-Ray Vision for Malware - www.vmray.com 6 / 18 DYNAMIC ANALYSIS REPORT #1173563

X-Ray Vision for Malware - www.vmray.com 7 / 18 DYNAMIC ANALYSIS REPORT #1173563

Screenshots trunkated.

X-Ray Vision for Malware - www.vmray.com 8 / 18 DYNAMIC ANALYSIS REPORT #1173563

NETWORK

General

101.46 KB total sent

64.76 KB total received

1 ports 80

2 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

346 DNS requests for 2 domains

1 nameservers contacted

172 total requests returned errors

HTTP/S

1 URLs contacted, 1 servers

174 sessions, 100.54 KB sent, 64.33 KB recivied

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

A eyecos.ga NoError 35.247.234.230 N/A

00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 8B 8B 8F åððñ9Að86 9A 9C 90 8C 98 9E 94 8A 00 00 00 00 00 00 00 00 00 N/A 91 98 ðñ98 9E 8B 9A 8F 97 8F

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

http://eyecos.ga/kung/ POST 0 bytes N/A gate.php

X-Ray Vision for Malware - www.vmray.com 9 / 18 DYNAMIC ANALYSIS REPORT #1173563

BEHAVIOR

Process Graph

#1 Sample Start winlog.exe

X-Ray Vision for Malware - www.vmray.com 10 / 18 DYNAMIC ANALYSIS REPORT #1173563

Process #1: winlog.exe

ID 1

Filename c:\users\gsanders\desktop\winlog.exe

Command Line "C:\Users\gsanders\Desktop\winlog.exe"

Initial Working Directory C:\Users\gsanders\Desktop\

Monitor Start Time Start Time: 190842, Reason: Analysis Target

Unmonitor End Time End Time: 421188, Reason: Terminated by Timeout

Monitor Duration 230.35s

Return Code Unknown

PID 4560

Parent PID 1376

Bitness 32 Bit

Dropped Files (4)

Filename File Size SHA256 YARA Match

58d997e54748bf6aa6e2f42a262803729d88d - 49 bytes c86f0f80277ab8b6968096225d1

C: 6b86b273ff34fce19d6b804eff5a3f5747ada4e \Users\gsanders\AppData\Roaming\9EDDE9\ 1 bytes aa22f1d49c01e52ddb7875b4b 9BDC8A.lck

C: e3b0c44298fc1c149afbf4c8996fb92427ae41 \Users\gsanders\AppData\Roaming\9EDDE9\ 0 bytes e4649b934ca495991b7852b855 9BDC8A.exe

78877fa898f0b4c45c9c33ae941e40617ad7c - 49 bytes 8657a307db62bc5691f92f4f60e

Host Behavior

Type Count

System 206

Module 5378

File 290

Environment 1

Registry 59

Mutex 1

User 10

Network Behavior

Type Count

HTTP 174

DNS 346

TCP 176

X-Ray Vision for Malware - www.vmray.com 11 / 18 DYNAMIC ANALYSIS REPORT #1173563

ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

5d5c83ef1689244a96ed C: application/ cffb1c59f88a164b2f6c08 \Users\gsanders\Deskto Sample File 280.00 KB vnd.microsoft.portable- Access, Delete MALICIOUS 81214e4338b82c61b28 p\winlog.exe executable 072

c: \users\gsanders\appdat a\roaming\microsoft\cryp 58d997e54748bf6aa6e2 to\rsa\s-1-5-21-1560258 f42a262803729d88dc86 661-3990802383-18117 Dropped File 49 bytes application/octet-stream CLEAN f0f80277ab8b69680962 30007-1001\0a0eb714d 25d1 9b6ebd0c6a49a4945de 26ad_03845cb8-7441-4 a2f-8c0f-c90408af5778

6b86b273ff34fce19d6b8 C: 04eff5a3f5747ada4eaa2 \Users\gsanders\AppDat Access, Write, Delete, Dropped File 1 bytes application/octet-stream CLEAN 2f1d49c01e52ddb7875b a\Roaming\9EDDE9\9B Create 4b DC8A.lck

c: \users\gsanders\appdat a\roaming\microsoft\cryp 78877fa898f0b4c45c9c3 to\rsa\s-1-5-21-1560258 3ae941e40617ad7c865 661-3990802383-18117 Dropped File 49 bytes application/octet-stream CLEAN 7a307db62bc5691f92f4f 30007-1001\0a0eb714d 60e 9b6ebd0c6a49a4945de 26ad_03845cb8-7441-4 a2f-8c0f-c90408af5778

Filename

Filename Category Operations Verdict

C:\Users\gsanders\Desktop\winlog.exe Sample File Access, Delete CLEAN

C: Accessed File Access, Create CLEAN \Users\gsanders\AppData\Roaming\9EDDE9

C: \Users\gsanders\AppData\Roaming\9EDDE9\ Dropped File Access, Write, Delete, Create CLEAN 9BDC8A.lck

C: \Users\gsanders\AppData\Roaming\9EDDE9\ Accessed File Access, Write, Create CLEAN 9BDC8A.exe

URL

URL Category IP Address Country HTTP Methods Verdict

http://eyecos.ga/kung/ 35.247.234.230 POST MALICIOUS gate.php

Domain

Domain IP Address Country Protocols Verdict

eyecos.ga 35.247.234.230 HTTP, DNS MALICIOUS

IP Address Domains Country Protocols Verdict

192.168.0.1 - UDP, DNS CLEAN

35.247.234.230 eyecos.ga Brazil HTTP, TCP, DNS CLEAN

X-Ray Vision for Malware - www.vmray.com 12 / 18 DYNAMIC ANALYSIS REPORT #1173563

Email Address

Mutex

Name Operations Parent Process Name Verdict

B7274519EDDE9BDC8AE51348 access winlog.exe CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access winlog.exe CLEAN osoft\Cryptography

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access, read winlog.exe CLEAN osoft\Cryptography\MachineGuid

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Mozilla Firefox\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Com access, read winlog.exe CLEAN odoGroup\IceDragon\Setup\SetupPath

HKEY_LOCAL_MACHINE\SOFTWARE\Appl access, read winlog.exe CLEAN e Computer, Inc.\Safari\InstallDir

HKEY_LOCAL_MACHINE\SOFTWARE\K- access, read winlog.exe CLEAN Meleon\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\mozil access, read winlog.exe CLEAN la.org\SeaMonkey\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\SeaMonkey\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Flock\CurrentVersion

HKEY_CURRENT_USER\Software\QtWeb.N access winlog.exe CLEAN ET\QtWeb Internet Browser\AutoComplete

HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN \Internet Explorer\IntelliForms\Storage2

HKEY_LOCAL_MACHINE\SOFTWARE\8pec access, read winlog.exe CLEAN xstudios\Cyberfox86\RootDir

HKEY_LOCAL_MACHINE\SOFTWARE\8pec access, read winlog.exe CLEAN xstudios\Cyberfox\Path

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Pale Moon\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Waterfox\CurrentVersion

HKEY_CURRENT_USER\Software\LinasFTP access winlog.exe CLEAN \Site Manager

HKEY_CURRENT_USER\Software\FlashPea access, read winlog.exe CLEAN k\BlazeFtp\Settings\LastPassword

HKEY_CURRENT_USER\Software\Ghisler\T access, read winlog.exe CLEAN otal Commander\FtpIniName

HKEY_CURRENT_USER\Software access winlog.exe CLEAN

HKEY_CURRENT_USER\Software\AppData access winlog.exe CLEAN Low

HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN

HKEY_CURRENT_USER\Software\Policies access winlog.exe CLEAN

HKEY_CURRENT_USER\Software\Registere access winlog.exe CLEAN dApplications

HKEY_CURRENT_USER\Software\Wow643 access winlog.exe CLEAN 2Node

X-Ray Vision for Malware - www.vmray.com 13 / 18 DYNAMIC ANALYSIS REPORT #1173563

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Classes access winlog.exe CLEAN

HKEY_CURRENT_USER\Software\Far\Plugi access winlog.exe CLEAN ns\FTP\Hosts

HKEY_CURRENT_USER\Software\Far2\Plu access winlog.exe CLEAN gins\FTP\Hosts

HKEY_CURRENT_USER\Software\Bitvise\B access, read winlog.exe CLEAN vSshClient\LastUsedProfile

HKEY_CURRENT_USER\Software\VanDyke\ access, read winlog.exe CLEAN SecureFX\Config Path

HKEY_LOCAL_MACHINE\Software\NCH access winlog.exe CLEAN Software\Fling\Accounts

HKEY_CURRENT_USER\Software\NCH access winlog.exe CLEAN Software\Fling\Accounts

HKEY_LOCAL_MACHINE\Software\NCH access winlog.exe CLEAN Software\ClassicFTP\FTPAccounts

HKEY_CURRENT_USER\Software\NCH access winlog.exe CLEAN Software\ClassicFTP\FTPAccounts

HKEY_CURRENT_USER\Software\9bis.com\ access winlog.exe CLEAN KiTTY\Sessions

HKEY_CURRENT_USER\Software\SimonTat access winlog.exe CLEAN ham\PuTTY\Sessions

HKEY_LOCAL_MACHINE\Software\SimonTa access winlog.exe CLEAN tham\PuTTY\Sessions

HKEY_LOCAL_MACHINE\Software\9bis.com access winlog.exe CLEAN \KiTTY\Sessions

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Mozilla Thunderbird\CurrentVersion

HKEY_CURRENT_USER\Software\IncrediM access winlog.exe CLEAN ail\Identities

HKEY_LOCAL_MACHINE\Software\IncrediM access winlog.exe CLEAN ail\Identities

HKEY_CURRENT_USER\Software\Martin access winlog.exe CLEAN Prikryl

HKEY_LOCAL_MACHINE\Software\Martin access winlog.exe CLEAN Prikryl

HKEY_LOCAL_MACHINE\SOFTWARE\Post access, read winlog.exe CLEAN box\Postbox\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\FossaMail\CurrentVersion

HKEY_CURRENT_USER\Software\WinChips access winlog.exe CLEAN \UserAccounts

HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows access winlog.exe CLEAN Messaging Subsystem\Profiles\Outlook

HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN \Office\15.0\Outlook\Profiles\Outlook

HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN \Office\16.0\Outlook\Profiles\Outlook

HKEY_CURRENT_USER\SOFTWARE\flaska access, read winlog.exe CLEAN .net\trojita\imap.auth.pass

HKEY_CURRENT_USER\SOFTWARE\flaska access, read winlog.exe CLEAN .net\trojita\msa.smtp.auth.pass

HKEY_LOCAL_MACHINE\��К� access, write winlog.exe CLEAN ��ј�Д��И��я��\9EDDE9

X-Ray Vision for Malware - www.vmray.com 14 / 18 DYNAMIC ANALYSIS REPORT #1173563

Process

Process Name Commandline Verdict

winlog.exe "C:\Users\gsanders\Desktop\winlog.exe" MALICIOUS

X-Ray Vision for Malware - www.vmray.com 15 / 18 DYNAMIC ANALYSIS REPORT #1173563

YARA / AV

YARA (16)

Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

function_strings_proces Malware Lokibot Lokibot Stealer Function Strings Spyware 5/5 s_1.txt

Antivirus (17)

File Type Threat Name Filename Verdict

SAMPLE Trojan.GenericKD.36738116 C:\Users\gsanders\Desktop\winlog.exe MALICIOUS

MEMORY_DUMP Generic.Andromeda.6165138E - MALICIOUS

MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 16 / 18 DYNAMIC ANALYSIS REPORT #1173563

File Type Threat Name Filename Verdict

MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 17 / 18 DYNAMIC ANALYSIS REPORT #1173563

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database Update 2021-04-19 14:27:28+00:00 Release Date

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 18 / 18