MALICIOUS Threat Names:

DYNAMIC ANALYSIS REPORT #2204689

Classifications: Downloader Spyware

MALICIOUS Threat Names: -

Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe

ID #879501

MD5 92d6baf79e990130a1db2175731d4e46

SHA1 db9efd2c26760ce555c1c31ca8d80d1731b26771

SHA256 d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

File Size 686.00 KB

Report Created 2021-08-25 03:00 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 28 DYNAMIC ANALYSIS REPORT #2204689

OVERVIEW

VMRay Threat Identifiers (13 rules, 40 matches)

Score Category Operation Count Classification

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: Torch, Opera, Comodo Dragon, Elements Browser, Vivaldi, BlackHawk, Chromium, Mozilla Thunderbird,...... gle Chrome, Mozilla Firefox, CocCoc, CentBrowser, Kometa, Cyberfox, Internet Explorer, Amigo, Epic Privacy Browser, Orbitum, Uran.

3/5 Network Connection Uses HTTP to upload a large amount of data. 1 -

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe uploads 48.603KB data using HTTP POST.

2/5 Data Collection Reads sensitive browser data 18 -

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Google Chrome" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Chromium" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Kometa" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Amigo" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Torch" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Orbitum" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Comodo Dragon" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Vivaldi" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "CocCoc" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Uran" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "CentBrowser" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Elements Browser" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Opera" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "Cyberfox" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of web browser "BlackHawk" by file.

2/5 Data Collection Reads sensitive mail data 1 -

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.

2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -

• (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe modifies memory of (process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe.

2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -

• (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe alters context of (process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe.

1/5 Hide Tracks Creates process with hidden window 2 -

• (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe starts (process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe with a hidden window.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe starts (process #4) cmd.exe with a hidden window.

1/5 Obfuscation Reads from memory of another process 1 -

X-Ray Vision for Malware - www.vmray.com 2 / 28 DYNAMIC ANALYSIS REPORT #2204689

Score Category Operation Count Classification

• (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe reads from (process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Discovery Possibly does reconnaissance 4 -

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "Mozilla Firefox" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "Cyberfox" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "blackHawk" by file.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe tries to gather information about application "icecat" by file.

1/5 Execution Executes itself 1 -

• (Process #1) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe executes a copy of the sample at C: \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe.

1/5 Network Connection Downloads executable 7 Downloader

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/6.jpg.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/1.jpg.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/2.jpg.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/3.jpg.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/4.jpg.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/5.jpg.

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe downloads executable via http from ck7.mooo.com/7.jpg.

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #2) d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe resolves 74 API functions by name.

- Trusted Known clean file 7 -

• File "C:\\ProgramData\\softokn3.dll" is a known clean file.

• File "C:\\ProgramData\\sqlite3.dll" is a known clean file.

• File "C:\\ProgramData\\freebl3.dll" is a known clean file.

• File "C:\\ProgramData\\mozglue.dll" is a known clean file.

• File "C:\\ProgramData\\msvcp140.dll" is a known clean file.

• File "C:\\ProgramData\\nss3.dll" is a known clean file.

• File "C:\\ProgramData\\vcruntime140.dll" is a known clean file.

- Trusted Executable has a trusted signature 4 -

• Executable C:\\ProgramData\\softokn3.dll has a trusted signature.

• Executable C:\\ProgramData\\freebl3.dll has a trusted signature.

• Executable C:\\ProgramData\\mozglue.dll has a trusted signature.

• Executable C:\\ProgramData\\nss3.dll has a trusted signature.

X-Ray Vision for Malware - www.vmray.com 3 / 28 DYNAMIC ANALYSIS REPORT #2204689

Mitre ATT&CK Matrix

Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control

#T1071 #T1003 #T1083 File #T1105 #T1119 #T1020 #T1143 Hidden Standard Credential and Directory Remote File Automated Automated Window Application Dumping Discovery Copy Collection Exfiltration Layer Protocol #T1045 #T1081 #T1005 Data #T1105 Software Credentials in from Local Remote File Packing Files System Copy

X-Ray Vision for Malware - www.vmray.com 4 / 28 DYNAMIC ANALYSIS REPORT #2204689

Sample Information

ID #879501

MD5 92d6baf79e990130a1db2175731d4e46

SHA1 db9efd2c26760ce555c1c31ca8d80d1731b26771

SHA256 d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

SSDeep 12288:PsIi50Ynk0H5sQH0YDMr1se/fRlA6EiNxcBO3XF02kLxEz33n5+mEJqyOx4:PtiKY/OQUwekXCcBmF3WS3Jta7O4

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

File Name d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe

File Size 686.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-08-25 03:00 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 4

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 5 / 28 DYNAMIC ANALYSIS REPORT #2204689

X-Ray Vision for Malware - www.vmray.com 6 / 28 DYNAMIC ANALYSIS REPORT #2204689

X-Ray Vision for Malware - www.vmray.com 7 / 28 DYNAMIC ANALYSIS REPORT #2204689

NETWORK

General

87.82 KB total sent

3046.05 KB total received

1 ports 80

1 contacted IP addresses

0 URLs extracted

8 files downloaded

0 malicious hosts detected

DNS

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

HTTP/S

9 URLs contacted, 1 servers

1 sessions, 87.82 KB sent, 3046.05 KB received

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

POST ck7.mooo.com/6.jpg - - 0 bytes NA

POST ck7.mooo.com/1.jpg - - 0 bytes NA

POST ck7.mooo.com/2.jpg - - 0 bytes NA

POST ck7.mooo.com/3.jpg - - 0 bytes NA

POST ck7.mooo.com/4.jpg - - 0 bytes NA

POST ck7.mooo.com/5.jpg - - 0 bytes NA

POST ck7.mooo.com/7.jpg - - 0 bytes NA

POST ck7.mooo.com/main.php - - 0 bytes NA

POST ck7.mooo.com/ - - 0 bytes NA

X-Ray Vision for Malware - www.vmray.com 8 / 28 DYNAMIC ANALYSIS REPORT #2204689

BEHAVIOR

Process Graph

Modify Memory #1 Modify Control Flow #2 Child Process #4 Child Process #6 Sample Start d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe Child Process d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe cmd.exe taskkill.exe

X-Ray Vision for Malware - www.vmray.com 9 / 28 DYNAMIC ANALYSIS REPORT #2204689

Process #1: d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 42478, Reason: Analysis Target

Unmonitor End Time End Time: 115687, Reason: Terminated

Monitor duration 73.21s

Return Code 0

PID 4744

Parent PID 1652

Bitness 32 Bit

Host Behavior

Type Count

Module 69

Window 6

Registry 3

File 1

Process 1

- 3

- 8

X-Ray Vision for Malware - www.vmray.com 10 / 28 DYNAMIC ANALYSIS REPORT #2204689

Process #2: d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe

ID 2

File Name c:\users\rdhj0cnfevzx\desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 111563, Reason: Child Process

Unmonitor End Time End Time: 140287, Reason: Terminated

Monitor duration 28.72s

Return Code 0

PID 552

Parent PID 4744

Bitness 32 Bit

Injection Information (7)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: \users\rdhj0cnfevzx\desktop Modify Memory \d9fa9a6d2f94da43ceb1e54d 0xf30 0x400000(4194304) 0x400 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

#1: c: \users\rdhj0cnfevzx\desktop Modify Memory \d9fa9a6d2f94da43ceb1e54d 0xf30 0x401000(4198400) 0x25a00 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

#1: c: \users\rdhj0cnfevzx\desktop Modify Memory \d9fa9a6d2f94da43ceb1e54d 0xf30 0x427000(4354048) 0x8200 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

#1: c: \users\rdhj0cnfevzx\desktop Modify Memory \d9fa9a6d2f94da43ceb1e54d 0xf30 0x430000(4390912) 0x1200 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

#1: c: \users\rdhj0cnfevzx\desktop Modify Memory \d9fa9a6d2f94da43ceb1e54d 0xf30 0x435000(4411392) 0x2e00 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

#1: c: \users\rdhj0cnfevzx\desktop Modify Memory \d9fa9a6d2f94da43ceb1e54d 0xf30 0x20f008(2158600) 0x4 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

#1: c: \users\rdhj0cnfevzx\desktop Modify Control Flow \d9fa9a6d2f94da43ceb1e54d 0xf30 / 0x1004 - 1 f2cac4e099d6700ad52db757 e5cbbece821e73d9.exe

Dropped Files (12)

File Name File Size SHA256 YARA Match

43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff299 C:\\ProgramData\\softokn3.dll 141.45 KB 5083

16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab1 C:\\ProgramData\\sqlite3.dll 630.46 KB 7660

a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab2409 C:\\ProgramData\\freebl3.dll 326.45 KB 0ba

3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c C:\\ProgramData\\mozglue.dll 133.95 KB 9cd

X-Ray Vision for Malware - www.vmray.com 11 / 28 DYNAMIC ANALYSIS REPORT #2204689

File Name File Size SHA256 YARA Match

334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e1 C:\\ProgramData\\msvcp140.dll 429.80 KB 3d4

e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9a C:\\ProgramData\\nss3.dll 1216.95 KB e9d78

c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c C:\\ProgramData\\vcruntime140.dll 81.82 KB 14d

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852 - 0 bytes b855

270eab209a6a3dd3ebb692841d2886c9b035445b0b17371e005a92f4cd8 system.txt 2.01 KB 0ad8d

8db975b92ed75699113da6699e7aeac042067d82ff273eb15b9e1031e7e C:\\ProgramData\\717325135878779\screenshot.jpg 66.19 KB c8833

1ddf9ccdf8405a70cb261c09df1cafcdcf0f980e03c441a841d3543b42879 outlook.txt 527 bytes 259

db889d08894f19bf9c3a1e812e07b8748181d6d0ee5836d62d5676283cd _7173251358.zip 47.13 KB 935ce

Host Behavior

Type Count

Module 93

File 738

Environment 1

System 13

Registry 205

User 1

Keyboard 2

Process 1

Network Behavior

Type Count

HTTP 9

TCP 1

X-Ray Vision for Malware - www.vmray.com 12 / 28 DYNAMIC ANALYSIS REPORT #2204689

Process #4: cmd.exe

ID 4

File Name c:\windows\syswow64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 552 & erase C:\Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbe' Command Line & RD /S /Q C:\\ProgramData\\717325135878779\\* & exit

Initial Working Directory C:\ProgramData\

Monitor Start Time Start Time: 136260, Reason: Child Process

Unmonitor End Time End Time: 145040, Reason: Terminated

Monitor duration 8.78s

Return Code 0

PID 3648

Parent PID 552

Bitness 32 Bit

Host Behavior

Type Count

Module 8

Registry 17

File 21

Environment 19

System 1

Process 1

X-Ray Vision for Malware - www.vmray.com 13 / 28 DYNAMIC ANALYSIS REPORT #2204689

Process #6: taskkill.exe

ID 6

File Name c:\windows\syswow64\taskkill.exe

Command Line taskkill /pid 552

Initial Working Directory C:\ProgramData\

Monitor Start Time Start Time: 141316, Reason: Child Process

Unmonitor End Time End Time: 145876, Reason: Terminated

Monitor duration 4.56s

Return Code 128

PID 712

Parent PID 3648

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 14 / 28 DYNAMIC ANALYSIS REPORT #2204689

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

C: d9fa9a6d2f94da43ceb1e54df application/ \Users\RDhJ0CNFevzX\Desktop\d9fa 2cac4e099d6700ad52db757 Sample File 686.00 KB vnd.microsoft.portable- Access MALICIOUS 9a6d2f94da43ceb1e54df2cac4e099d67 e5cbbece821e73d9 executable 00ad52db757e5cbbece821e73d9.exe

c2d814a34b184b7cdf10e4e7 c: a4311ff15db99326d6dd8d32 \users\rdhj0cnfevzx\appdata\local\mic Modified File 128 bytes application/octet-stream - CLEAN 8b53bf9e19ccf858 rosoft\windows\inetcache\counters.dat

270eab209a6a3dd3ebb6928 system.txt, C:\\ProgramData\ Create, Access, Delete, 41d2886c9b035445b0b1737 Dropped File 2.01 KB text/plain CLEAN \717325135878779\system.txt Read, Write 1e005a92f4cd80ad8d

8db975b92ed75699113da66 screenshot.jpg, C:\\ProgramData\ 99e7aeac042067d82ff273eb Dropped File 66.19 KB image/jpeg Access, Delete, Read CLEAN \717325135878779\screenshot.jpg 15b9e1031e7ec8833

1ddf9ccdf8405a70cb261c09 C:\\ProgramData\ Create, Access, Delete, df1cafcdcf0f980e03c441a84 \717325135878779\outlook.txt, Embedded File 527 bytes text/plain CLEAN Read, Write 1d3543b42879259 outlook.txt

43536adef2ddcc811c28d35f application/ Create, Access, Delete, a6ce3031029a2424ad39398 C:\\ProgramData\\softokn3.dll Downloaded File 141.45 KB vnd.microsoft.portable- CLEAN Write 9db36169ff2995083 executable

16574f51785b0e2fc29c2c61 application/ Create, Access, Delete, 477eb47bb39f714829999511 C:\\ProgramData\\sqlite3.dll Downloaded File 630.46 KB vnd.microsoft.portable- CLEAN Write dc8952b43ab17660 executable

a770ecba3b08bbabd0a567fc application/ Create, Access, Delete, 978e50615f8b346709f8eb3cf C:\\ProgramData\\freebl3.dll Downloaded File 326.45 KB vnd.microsoft.portable- CLEAN Write acf3faab24090ba executable

3fe6b1c54b8cf28f571e0c5d6 application/ Create, Access, Delete, 636b4069a8ab00b4f11dd842 C:\\ProgramData\\mozglue.dll Downloaded File 133.95 KB vnd.microsoft.portable- CLEAN Write cfec00691d0c9cd executable

334e69ac9367f708ce601a6f application/ Create, Access, Delete, 490ff227d6c20636da5222f14 C:\\ProgramData\\msvcp140.dll Downloaded File 429.80 KB vnd.microsoft.portable- CLEAN Write 8b25831d22e13d4 executable

e2935b5b28550d47dc971f45 application/ Create, Access, Delete, 6d6961f20d1633b489299875 C:\\ProgramData\\nss3.dll Downloaded File 1216.95 KB vnd.microsoft.portable- CLEAN Write 0140e0eaa9ae9d78 executable

c40bb03199a2054dabfc7a8e application/ Create, Access, Delete, 01d6098e91de7193619effbd C:\\ProgramData\\vcruntime140.dll Downloaded File 81.82 KB vnd.microsoft.portable- CLEAN Write 0f142a7bf031c14d executable

db889d08894f19bf9c3a1e81 _7173251358.zip, C:\\ProgramData\ Create, Access, Delete, 2e07b8748181d6d0ee5836d Downloaded File 47.13 KB application/zip CLEAN \717325135878779\_7173251358.zip Read, Write 62d5676283cd935ce

Filename

File Name Category Operations Verdict

C: \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e Accessed File Access CLEAN 099d6700ad52db757e5cbbece821e73d9.exe.config

C: \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e Sample File Access CLEAN 099d6700ad52db757e5cbbece821e73d9.exe

Create, Access, Delete, C:\\ProgramData\\softokn3.dll Downloaded File CLEAN Write

Create, Access, Delete, C:\\ProgramData\\sqlite3.dll Downloaded File CLEAN Write

Create, Access, Delete, C:\\ProgramData\\freebl3.dll Downloaded File CLEAN Write

Create, Access, Delete, C:\\ProgramData\\mozglue.dll Downloaded File CLEAN Write

Create, Access, Delete, C:\\ProgramData\\msvcp140.dll Downloaded File CLEAN Write

X-Ray Vision for Malware - www.vmray.com 15 / 28 DYNAMIC ANALYSIS REPORT #2204689

File Name Category Operations Verdict

Create, Access, Delete, C:\\ProgramData\\nss3.dll Downloaded File CLEAN Write

Create, Access, Delete, C:\\ProgramData\\vcruntime140.dll Downloaded File CLEAN Write

C:\\ProgramData\\717325135878779 Accessed File Create, Access, Delete CLEAN

C:\\ProgramData\\717325135878779\\cookies Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\cc Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\autofill Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto Accessed File Create, Access CLEAN

passwords.txt Accessed File Create, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\\Google\\Chrome\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Chromium\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Kometa\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Amigo\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Torch\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Orbitum\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Comodo\\Dragon\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Nichrome\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Maxthon5\\Users\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Sputnik\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Epic Privacy Browser\ Accessed File Access CLEAN \User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Vivaldi\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\CocCoc\\Browser\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\uCozMedia\\Uran\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\QIP Surf\\User Data\Local Accessed File Access CLEAN State

C:\Users\RDhJ0CNFevzX\AppData\Local\\CentBrowser\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\Elements Browser\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\TorBro\\Profile\Local State Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Edge\User Data\ Accessed File Access CLEAN \Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\CryptoTab Browser\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\\BraveSoftware\\Brave- Accessed File Access CLEAN Browser\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\Opera Software\\Opera Accessed File Access CLEAN Stable\\\Local State

X-Ray Vision for Malware - www.vmray.com 16 / 28 DYNAMIC ANALYSIS REPORT #2204689

File Name Category Operations Verdict

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\Mozilla\\Firefox\ Accessed File Access CLEAN \Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\Moonchild Accessed File Access CLEAN Productions\\Pale Moon\\Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\Waterfox\\Profiles\\..\ Accessed File Access CLEAN \profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\8pecxstudios\ Accessed File Access CLEAN \Cyberfox\\Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\NETGATE Accessed File Access CLEAN Technologies\\BlackHawk\\Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\Mozilla\\icecat\ Accessed File Access CLEAN \Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\K-Meleon\\..\ Accessed File Access CLEAN \profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\Thunderbird\\Profiles\ Accessed File Access CLEAN \..\\profiles.ini

outlook.txt Dropped File, Embedded File Create, Read, Access, Write CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Bitcoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Ethereum\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Electrum Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Electrum-LTC Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\ElectronCash Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Exodus\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\MultiDoge\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Zcash\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\DashCore\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Litecoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Anoncoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\BBQCoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\devcoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\digitalcoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Florincoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Franko\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Freicoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\GoldCoinGLD Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Infinitecoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\IOCoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Ixcoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Megacoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Mincoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Namecoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\Primecoin\\ Accessed File Create, Access CLEAN

X-Ray Vision for Malware - www.vmray.com 17 / 28 DYNAMIC ANALYSIS REPORT #2204689

File Name Category Operations Verdict

C:\\ProgramData\\717325135878779\\crypto\\Terracoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\YACoin\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\ Accessed File Create, Access CLEAN

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\. Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\.

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\.. Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\..

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\autofill Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\autofill

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\cc Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\cc

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\cookies Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\cookies

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\crypto Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\crypto

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\outlook.txt Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\outlook.txt

C:\\ProgramData\\717325135878779\\crypto\\jaxx\\passwords.txt Accessed File Create, Access, Write CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\\com.liberty.jaxx\ Accessed File Access CLEAN \IndexedDB\\file__0.indexeddb.leveldb\\passwords.txt

system.txt Dropped File Create, Access, Write CLEAN

_7173251358.zip Downloaded File Create, Read, Access, Write CLEAN

C:\\ProgramData\\717325135878779\autofill Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\cc Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\cookies Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Anoncoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\BBQCoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Bitcoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\DashCore Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\devcoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\digitalcoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\ElectronCash Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Electrum Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Electrum-LTC Accessed File Access, Delete CLEAN

X-Ray Vision for Malware - www.vmray.com 18 / 28 DYNAMIC ANALYSIS REPORT #2204689

File Name Category Operations Verdict

C:\\ProgramData\\717325135878779\crypto\Ethereum Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Exodus Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Florincoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Franko Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Freicoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\GoldCoinGLD Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Infinitecoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\IOCoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Ixcoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\jaxx Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Litecoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Megacoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Mincoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\MultiDoge Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Namecoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Primecoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Terracoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\YACoin Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\crypto\Zcash Accessed File Access, Delete CLEAN

C:\\ProgramData\\717325135878779\outlook.txt Dropped File, Embedded File Access, Delete, Read CLEAN

C:\\ProgramData\\717325135878779\passwords.txt Accessed File Access, Delete, Read CLEAN

C:\\ProgramData\\717325135878779\screenshot.jpg Dropped File Access, Delete, Read CLEAN

C:\\ProgramData\\717325135878779\system.txt Dropped File Access, Delete, Read CLEAN

C:\\ProgramData\\717325135878779\_7173251358.zip Downloaded File Access, Delete CLEAN

C:\Windows\SysWOW64\cmd.exe Accessed File Access CLEAN

C:\ProgramData Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e Accessed File Access CLEAN 099d6700ad52db757e5cbbe'

C:\Users\RDhJ0CNFevzX\Desktop Accessed File Access CLEAN

C:\\ProgramData\\717325135878779\\* Accessed File Access, Delete CLEAN

URL

URL Category IP Address Country HTTP Methods Verdict

http://ck7.mooo.com/6.jpg - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com/1.jpg - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com/2.jpg - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com/3.jpg - 188.241.58.142 - POST CLEAN

X-Ray Vision for Malware - www.vmray.com 19 / 28 DYNAMIC ANALYSIS REPORT #2204689

URL Category IP Address Country HTTP Methods Verdict

http://ck7.mooo.com/4.jpg - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com/5.jpg - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com/7.jpg - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com/main.php - 188.241.58.142 - POST CLEAN

http://ck7.mooo.com - 188.241.58.142 - POST CLEAN

Domain

Domain IP Address Country Protocols Verdict

ck7.mooo.com 188.241.58.142 - HTTP CLEAN

IP Address Domains Country Protocols Verdict

188.241.58.142 ck7.mooo.com Romania DNS, HTTP, TCP CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access CLEAN bbece821e73d9.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN JITDebugLaunchSetting bbece821e73d9.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN ManagedDebugger bbece821e73d9.exe

d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c HKEY_PERFORMANCE_DATA access CLEAN bbece821e73d9.exe

HKEY_CURRENT_USER\Software\\Microsoft\\Windows NT\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\ access CLEAN bbece821e73d9.exe \9375CFF0413111d3B88A00104B2A6676\\00000001

HKEY_CURRENT_USER\Software\\Microsoft\\Office\\13.0\\Outlook\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001 bbece821e73d9.exe

HKEY_CURRENT_USER\Software\\Microsoft\\Office\\14.0\\Outlook\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001 bbece821e73d9.exe

HKEY_CURRENT_USER\Software\\Microsoft\\Office\\15.0\\Outlook\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001 bbece821e73d9.exe

X-Ray Vision for Malware - www.vmray.com 20 / 28 DYNAMIC ANALYSIS REPORT #2204689

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\\Microsoft\\Office\\16.0\\Outlook\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001 bbece821e73d9.exe

HKEY_CURRENT_USER\Software\\Microsoft\\Windows Messaging d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\ access CLEAN bbece821e73d9.exe \00000001

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows NT\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows NT\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\ProductName bbece821e73d9.exe

d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Cryptography access CLEAN bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \Cryptography\MachineGuid bbece821e73d9.exe

HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CentralProcessor\\0 bbece821e73d9.exe

HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CentralProcessor\\0\ProcessorNameString bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\AddressBook bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\AddressBook\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\Connection Manager bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\Connection Manager\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\DirectDrawEx bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\DirectDrawEx\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\DXM_Runtime bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\DXM_Runtime\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\Fontcore bbece821e73d9.exe

X-Ray Vision for Malware - www.vmray.com 21 / 28 DYNAMIC ANALYSIS REPORT #2204689

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\Fontcore\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\IE40 bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\IE40\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\IE4Data bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\IE4Data\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\IE5BAKEX bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\IE5BAKEX\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\IEData bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\IEData\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\MobileOptionPack bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\MobileOptionPack\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\MPlayer2 bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\MPlayer2\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\SchedulingAgent bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\SchedulingAgent\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\WIC bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \CurrentVersion\\Uninstall\WIC\DisplayName bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{0FA68574-690B-4B00-89AA- access CLEAN bbece821e73d9.exe B28946231449}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{0FA68574-690B-4B00-89AA- access, read CLEAN bbece821e73d9.exe B28946231449}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{13A4EE12-23EA-3371-91EE- access CLEAN bbece821e73d9.exe EFB36DDFFF3E}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{13A4EE12-23EA-3371-91EE- access, read CLEAN bbece821e73d9.exe EFB36DDFFF3E}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{1D8E6291- access CLEAN bbece821e73d9.exe B0D5-35EC-8441-6616F567A0F7}.KB2151757

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{1D8E6291- access, read CLEAN bbece821e73d9.exe B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName

X-Ray Vision for Malware - www.vmray.com 22 / 28 DYNAMIC ANALYSIS REPORT #2204689

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{2BC3BD4D- access CLEAN bbece821e73d9.exe FABA-4394-93C7-9AC82A263FE2}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{2BC3BD4D- access, read CLEAN bbece821e73d9.exe FABA-4394-93C7-9AC82A263FE2}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} access, read CLEAN bbece821e73d9.exe \DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} access, read CLEAN bbece821e73d9.exe \DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{65e650ff-30be-469d-b63a-418d71ea1765} bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{65e650ff-30be-469d- access, read CLEAN bbece821e73d9.exe b63a-418d71ea1765}\DisplayName

X-Ray Vision for Malware - www.vmray.com 23 / 28 DYNAMIC ANALYSIS REPORT #2204689

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{6913e92a-b64e-41c9-a5e6-cef39207fe89} bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{6913e92a-b64e-41c9-a5e6- access, read CLEAN bbece821e73d9.exe cef39207fe89}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{710f4c1c- access, read CLEAN bbece821e73d9.exe cc18-4c49-8cbf-51240c89a1a2}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\ access CLEAN bbece821e73d9.exe \Uninstall\{90160000-008C-0000-0000-0000000FF1CE}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\ access, read CLEAN bbece821e73d9.exe \Uninstall\{90160000-008C-0000-0000-0000000FF1CE}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ \CurrentVersion\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \Uninstall\{90160000-008C-0000-0000-0000000FF1CE} bbece821e73d9.exe \DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\ access CLEAN bbece821e73d9.exe \Uninstall\{90160000-008C-0409-0000-0000000FF1CE}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ \CurrentVersion\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN \Uninstall\{90160000-008C-0409-0000-0000000FF1CE} bbece821e73d9.exe \DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{9BE518E6- access CLEAN bbece821e73d9.exe ECC6-35A9-88E4-87755C07200F}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{9BE518E6- access, read CLEAN bbece821e73d9.exe ECC6-35A9-88E4-87755C07200F}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\ access CLEAN bbece821e73d9.exe {B175520C-86A2-35A7-8619-86DC379688B9}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\ access, read CLEAN bbece821e73d9.exe {B175520C-86A2-35A7-8619-86DC379688B9}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\ access CLEAN bbece821e73d9.exe {BD95A8CD-1D9F-35AD-981A-3E7925026EBB}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} bbece821e73d9.exe

X-Ray Vision for Malware - www.vmray.com 24 / 28 DYNAMIC ANALYSIS REPORT #2204689

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{ca67548a-5ebe-413a- access, read CLEAN bbece821e73d9.exe b50c-4b9ceb6d66c6}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access CLEAN \CurrentVersion\\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} bbece821e73d9.exe

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} access, read CLEAN bbece821e73d9.exe \DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\ access CLEAN bbece821e73d9.exe {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\ access CLEAN bbece821e73d9.exe {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ \CurrentVersion\\Uninstall\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c access, read CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757\Display bbece821e73d9.exe Name

X-Ray Vision for Malware - www.vmray.com 25 / 28 DYNAMIC ANALYSIS REPORT #2204689

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{F8CFEB22- access CLEAN bbece821e73d9.exe A2E7-3971-9EDA-4B11EDEFC185}

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\ d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5c \CurrentVersion\\Uninstall\{F8CFEB22- access, read CLEAN bbece821e73d9.exe A2E7-3971-9EDA-4B11EDEFC185}\DisplayName

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Sy access cmd.exe CLEAN stem

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\DisableUNCCheck

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\EnableExtensions

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\DelayedExpansion

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\DefaultColor

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\CompletionChar

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\PathCompletionChar

HKEY_LOCAL_MACHINE\Software\Microsoft\Command access, read cmd.exe CLEAN Processor\AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor access cmd.exe CLEAN Reduced dataset

Process

Process Name Commandline Verdict

"C: d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece8 MALICIOUS 73d9.exe 21e73d9.exe"

"C: d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece8 SUSPICIOUS 73d9.exe 21e73d9.exe"

"C:\Windows\System32\cmd.exe" /c taskkill /pid 552 & erase C: cmd.exe \Users\RDhJ0CNFevzX\Desktop\d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbe' & CLEAN RD /S /Q C:\\ProgramData\\717325135878779\\* & exit

taskkill.exe taskkill /pid 552 CLEAN

X-Ray Vision for Malware - www.vmray.com 26 / 28 DYNAMIC ANALYSIS REPORT #2204689

YARA / AV

No YARA or AV matches available.

X-Ray Vision for Malware - www.vmray.com 27 / 28 DYNAMIC ANALYSIS REPORT #2204689

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release 2021-08-24 21:31:20+00:00 Date

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.38 / 2021-08-23 11:23:52

YARA Built-in Ruleset Version 4.2.2.35

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 28 / 28