Loading ...

Play interactive tourEdit tour

Analysis Report 111B7Ai1.exe

Overview

General Information

Sample Name:111B7Ai1.exe
MD5:5cb4a9d3ca6d04be07d7089726d7c5b7
SHA1:f913a4e951913b3da5cada21d82fbcf3313d6a14
SHA256:615c5f266afb8c2112a1aed26455819bc66d8c7cf8a87c74ecac1962d4c65ce2

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Startup

  • System is w10x64
  • 111B7Ai1.exe (PID: 2072 cmdline: 'C:\Users\user\Desktop\111B7Ai1.exe' MD5: 5CB4A9D3CA6D04BE07D7089726D7C5B7)
  • iexplore.exe (PID: 4872 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4380 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4192 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4588 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4956 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1260 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1224 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4628 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1224 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.790340929.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.791211250.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.790752420.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.787136270.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 111B7Ai1.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: 111B7Ai1.exeVirustotal: Detection: 40%Perma Link
            Source: 111B7Ai1.exeReversingLabs: Detection: 39%
            Machine Learning detection for sampleShow sources
            Source: 111B7Ai1.exeJoe Sandbox ML: detected
            Source: 0.2.111B7Ai1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.111B7Ai1.exe.5d0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.0.111B7Ai1.exe.400000.0.unpackAvira: Label: TR/Crypt.FKM.Gen

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: unknownDNS traffic detected: query: worldwidebars.xyz replaycode: Name error (3)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeea49943,0x01d62fce</date><accdate>0xeea49943,0x01d62fce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeea49943,0x01d62fce</date><accdate>0xeea49943,0x01d62fce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xeeae48a9,0x01d62fce</date><accdate>0xeeae48a9,0x01d62fce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xeeae48a9,0x01d62fce</date><accdate>0xeeb10a99,0x01d62fce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xeeb36cc7,0x01d62fce</date><accdate>0xeeb36cc7,0x01d62fce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xeeb36cc7,0x01d62fce</date><accdate>0xeebab9f1,0x01d62fce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: worldwidebars.xyz
            Source: 111B7Ai1.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: 111B7Ai1.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
            Source: 111B7Ai1.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 111B7Ai1.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
            Source: 111B7Ai1.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: 111B7Ai1.exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: 111B7Ai1.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: imagestore.dat.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
            Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
            Source: 111B7Ai1.exeString found in binary or memory: https://sectigo.com/CPS0
            Source: 111B7Ai1.exeString found in binary or memory: https://sectigo.com/CPS0B
            Source: 111B7Ai1.exe, 111B7Ai1.exe, 00000000.00000003.1029350302.0000000003470000.00000004.00000040.sdmpString found in binary or memory: https://worldwidebars.xyz
            Source: ~DF7865094154E0F6FF.TMP.13.drString found in binary or memory: https://worldwidebars.xyz/index.htm
            Source: {347DCA41-9BC2-11EA-AADD-C25F135D3C65}.dat.8.drString found in binary or memory: https://worldwidebars.xyz/index.htmRoot
            Source: {347DCA41-9BC2-11EA-AADD-C25F135D3C65}.dat.8.drString found in binary or memory: https://worldwidebars.xyz/index.htmxyz/index.htm
            Source: 111B7Ai1.exe, 00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmpString found in binary or memory: https://worldwidebars.xyz6

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790340929.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791211250.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790752420.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787136270.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791277322.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1029350302.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788213304.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788695574.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790003094.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.784944263.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787668474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786015495.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788941920.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790636153.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785644547.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789837466.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788467555.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791156652.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1206984916.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790903345.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785285889.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789653098.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787434301.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790991604.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787949984.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789427333.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791254661.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786619285.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786359162.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791076029.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790183241.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786881266.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790505771.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 111B7Ai1.exe PID: 2072, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790340929.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791211250.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790752420.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787136270.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791277322.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1029350302.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788213304.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788695574.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790003094.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.784944263.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787668474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786015495.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788941920.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790636153.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785644547.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789837466.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788467555.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791156652.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1206984916.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790903345.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785285889.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789653098.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787434301.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790991604.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787949984.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789427333.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791254661.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786619285.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786359162.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791076029.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790183241.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786881266.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790505771.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 111B7Ai1.exe PID: 2072, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: 111B7Ai1.exe, 00000000.00000002.1206452953.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 111B7Ai1.exe
            Source: 111B7Ai1.exe, 00000000.00000002.1205242863.000000000044E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSMSvcHost.exeT vs 111B7Ai1.exe
            Source: 111B7Ai1.exe, 00000000.00000002.1206350150.0000000002150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 111B7Ai1.exe
            Source: 111B7Ai1.exeBinary or memory string: OriginalFilenameSMSvcHost.exeT vs 111B7Ai1.exe
            Source: classification engineClassification label: mal96.bank.troj.evad.winEXE@15/60@20/0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeMutant created: \Sessions\1\BaseNamedObjects\Local\BD0F010C-8477-D729-4003-A9471CBE2200
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9C15FC9074438D44.TMPJump to behavior
            Source: 111B7Ai1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 111B7Ai1.exeVirustotal: Detection: 40%
            Source: 111B7Ai1.exeReversingLabs: Detection: 39%
            Source: 111B7Ai1.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
            Source: unknownProcess created: C:\Users\user\Desktop\111B7Ai1.exe 'C:\Users\user\Desktop\111B7Ai1.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17416 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4988 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1224 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17416 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4988 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1224 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\111B7Ai1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\111B7Ai1.exeUnpacked PE file: 0.2.111B7Ai1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\111B7Ai1.exeUnpacked PE file: 0.2.111B7Ai1.exe.400000.0.unpack
            Source: 111B7Ai1.exeStatic PE information: real checksum: 0x61246 should be: 0x6124e

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790340929.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791211250.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790752420.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787136270.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791277322.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1029350302.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788213304.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788695574.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790003094.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.784944263.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787668474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786015495.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788941920.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790636153.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785644547.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789837466.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788467555.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791156652.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1206984916.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790903345.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785285889.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789653098.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787434301.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790991604.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787949984.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789427333.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791254661.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786619285.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786359162.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791076029.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790183241.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786881266.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790505771.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 111B7Ai1.exe PID: 2072, type: MEMORY

            Source: C:\Users\user\Desktop\111B7Ai1.exe TID: 4120Thread sleep time: -150000s >= -30000sJump to behavior

            Source: C:\Users\user\Desktop\111B7Ai1.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

            Source: 111B7Ai1.exe, 00000000.00000002.1206025448.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 111B7Ai1.exe, 00000000.00000002.1206025448.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 111B7Ai1.exe, 00000000.00000002.1206025448.0000000000C90000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
            Source: 111B7Ai1.exe, 00000000.00000002.1206025448.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Users\user\Desktop\111B7Ai1.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790340929.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791211250.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790752420.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787136270.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791277322.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1029350302.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788213304.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788695574.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790003094.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.784944263.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787668474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786015495.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788941920.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790636153.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785644547.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789837466.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788467555.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791156652.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1206984916.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790903345.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785285889.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789653098.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787434301.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790991604.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787949984.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789427333.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791254661.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786619285.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786359162.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791076029.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790183241.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786881266.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790505771.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 111B7Ai1.exe PID: 2072, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.789174500.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790340929.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791211250.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790752420.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787136270.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791277322.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1029350302.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788213304.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788695574.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790003094.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.784944263.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787668474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786015495.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788941920.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790636153.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785644547.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789837466.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.788467555.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791156652.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1206984916.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790903345.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.785285889.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789653098.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787434301.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790991604.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.787949984.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.789427333.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791254661.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786619285.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786359162.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.791076029.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790183241.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.786881266.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790505771.0000000003470000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 111B7Ai1.exe PID: 2072, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Winlogon Helper DLLProcess Injection2Masquerading1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaCommand-Line Interface2Port MonitorsAccessibility FeaturesSoftware Packing21Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection2Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 232162 Sample: 111B7Ai1.exe Startdate: 21/05/2020 Architecture: WINDOWS Score: 96 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected  Ursnif 2->43 45 Machine Learning detection for sample 2->45 6 111B7Ai1.exe 2->6         started        10 iexplore.exe 2 87 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 37 worldwidebars.xyz 6->37 47 Detected unpacking (changes PE section rights) 6->47 49 Detected unpacking (overwrites its own PE header) 6->49 51 Writes or reads registry keys via WMI 6->51 53 2 other signatures 6->53 16 iexplore.exe 30 10->16         started        19 iexplore.exe 29 10->19         started        21 iexplore.exe 29 12->21         started        23 iexplore.exe 29 14->23         started        25 iexplore.exe 29 14->25         started        signatures5 process6 dnsIp7 27 worldwidebars.xyz 16->27 29 worldwidebars.xyz 19->29 31 worldwidebars.xyz 21->31 33 worldwidebars.xyz 23->33 35 worldwidebars.xyz 25->35

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.