Loading ...

Play interactive tourEdit tour

Analysis Report 0pz1on1.dll

Overview

General Information

Sample Name:0pz1on1.dll
Analysis ID:320364
MD5:3bd94cd9d5af80967956a0c2789bf180
SHA1:7d0b946bfa133ec9c10cb1cca0007139597b2011
SHA256:e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
Tags:dllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query CPU information (cpuid)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3924 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll' MD5: 62442CB29236B024E992A556DA72B97A)
  • iexplore.exe (PID: 4852 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1744 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6496 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3120 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4464 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5028 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2212 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250162", "uptime": "217ceL|", "crc": "1", "id": "7239", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: loaddll32.exe.3924.0.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "217ceL|", "crc": "1", "id": "7239", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 0pz1on1.dllReversingLabs: Detection: 20%
            Machine Learning detection for sampleShow sources
            Source: 0pz1on1.dllJoe Sandbox ML: detected
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler
            Source: global trafficHTTP traffic detected: GET /images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxfYNsV0RjT7n0rzu_2/FVrjLW0Lx1_2FNeyWne9gk/0rFmuW9zFu5BV/c7RWa33N/1NgLVJFWI2qb9NTj9vbwwI_/2F2HNzSZxp/DIXVF0dEz33_2BLha/h6wWaOyw/2.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: billinglines.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/EuNoqB8rz283d_2F7/B2kFZAZsTPTP/AjxLGzItOQW/LGcQAVabLTNFrn/ibQqX2QKAtaqH2QpDHFdT/6FHFM3jb_2BEx6vj/K0T2UpF9ftSsAhC/WBke3cKFZQASphRr9z/wDAeGeXXF/ciy8TXpgvP0d/PQ9l29nE/m.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: billinglines.com
            Source: {8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat.21.drString found in binary or memory: http://billinglines.com/images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxf
            Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.475496592.00000000013FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01181E57 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011811EA NtMapViewOfSection,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011823F5 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B6066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BB10D NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011821D4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B15CD
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BAEEC
            Source: 0pz1on1.dllBinary or memory string: OriginalFilenameMcx2Prov.exej% vs 0pz1on1.dll
            Source: classification engineClassification label: mal80.bank.troj.winDLL@13/44@2/2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B5946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFDB1C02956F83098A.TMPJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: 0pz1on1.dllReversingLabs: Detection: 20%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: 0pz1on1.dllStatic PE information: section name: .rdata8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011821C3 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01182170 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000FE1F push edi; retf
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000F45E push ebx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000D70A push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10011316 push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010963 push 6A2E45E0h; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001056C push ds; retf
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000D3C9 push eax; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100115DE push eax; retf
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100061F0 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BAB20 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BAEDB push ecx; ret

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001070 EntryPoint,CloseMetaFile,GetWindowTextLengthA,EndDoc,AbortDoc,AbortDoc,GetMenuCheckMarkDimensions,CloseEnhMetaFile,CreateMenu,IsCharAlphaNumericW,GetLastActivePopup,IsIconic,CloseClipboard,CloseFigure,GetMapMode,CharLowerW,DestroyCursor,GetKeyboardLayout,IsWindowVisible,VkKeyScanA,CreatePopupMenu,CancelDC,GetSysColor,CharUpperW,AbortPath,AbortPath,GetKeyState,GetFocus,GetColorSpace,ReleaseCapture,GetDesktopWindow,InSendMessage,UpdateColors,IsGUIThread,CreateSolidBrush,CreateSolidBrush,WindowFromDC,GetLastActivePopup,IsCharUpperW,DestroyMenu,CreateMetaFileA,GetTopWindow,DestroyCursor,GetMessageTime,GetTextCharset,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCur
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exe TID: 5420Thread sleep count: 58 > 30
            Source: C:\Windows\System32\loaddll32.exe TID: 5840Thread sleep count: 49 > 30
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B65CE cpuid
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01181006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B65CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011810D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection2Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 320364 Sample: 0pz1on1.dll Startdate: 19/11/2020 Architecture: WINDOWS Score: 80 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected  Ursnif 2->32 34 Machine Learning detection for sample 2->34 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 1 50 2->9         started        11 iexplore.exe 1 50 2->11         started        13 2 other processes 2->13 process3 signatures4 36 Writes or reads registry keys via WMI 6->36 38 Writes registry values via WMI 6->38 40 Creates a COM Internet Explorer object 6->40 15 iexplore.exe 31 9->15         started        18 iexplore.exe 25 11->18         started        20 iexplore.exe 36 13->20         started        22 iexplore.exe 32 13->22         started        process5 dnsIp6 24 billinglines.com 195.110.58.42, 49731, 49732, 80 AS-HOSTINGERLT Lithuania 15->24 26 ocsp.sca1b.amazontrust.com 143.204.15.36, 49749, 49750, 80 AMAZON-02US United States 18->26

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            0pz1on1.dll21%ReversingLabsWin32.Trojan.Wacatac
            0pz1on1.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.loaddll32.exe.11b0000.2.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://billinglines.com/images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxf0%Avira URL Cloudsafe
            http://www.wikipedia.com/0%URL Reputationsafe
            http://www.wikipedia.com/0%URL Reputationsafe
            http://www.wikipedia.com/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            billinglines.com
            195.110.58.42
            truefalse
              unknown
              ocsp.sca1b.amazontrust.com
              143.204.15.36
              truefalse
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://billinglines.com/images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxf{8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat.21.drfalse
                • Avira URL Cloud: safe
                unknown
                http://www.wikipedia.com/msapplication.xml6.3.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.amazon.com/msapplication.xml.3.drfalse
                  high
                  http://www.nytimes.com/msapplication.xml3.3.drfalse
                    high
                    http://www.live.com/msapplication.xml2.3.drfalse
                      high
                      http://www.reddit.com/msapplication.xml4.3.drfalse
                        high
                        http://www.twitter.com/msapplication.xml5.3.drfalse
                          high
                          http://www.youtube.com/msapplication.xml7.3.drfalse
                            high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            195.110.58.42
                            unknownLithuania
                            47583AS-HOSTINGERLTfalse
                            143.204.15.36
                            unknownUnited States
                            16509AMAZON-02USfalse

                            General Information

                            Joe Sandbox Version:31.0.0 Red Diamond
                            Analysis ID:320364
                            Start date:19.11.2020
                            Start time:09:46:44
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 16s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:0pz1on1.dll
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:32
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal80.bank.troj.winDLL@13/44@2/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 40.4% (good quality ratio 39.2%)
                            • Quality average: 80.8%
                            • Quality standard deviation: 26.5%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .dll
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                            • Excluded IPs from analysis (whitelisted): 184.24.15.126, 65.55.44.109, 40.88.32.150, 51.104.139.180, 23.54.113.104, 152.199.19.161, 20.54.26.129, 168.61.161.212, 51.104.144.132, 23.10.249.43, 23.10.249.26, 104.43.193.48, 52.255.188.83, 13.88.21.125, 104.43.139.144
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, ie9comview.vo.msecnd.net, global.vortex.data.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, web.vortex.data.trafficmanager.net, web.vortex.data.microsoft.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/320364/sample/0pz1on1.dll

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            143.204.15.36Where are the female CEOs.docxGet hashmaliciousBrowse
                              https://www.jottacloud.com/s/192d9a10b7288404ad1a42236e9c9967aedGet hashmaliciousBrowse
                                https://secure.adobecloudshare.ga/share/Kw0FfR8HBn96bAh2BDSZgfAMGBgRmaiw1KS0sNUwBAQVjbmZzbyYSC0FVQkc2BNTwUNDU9IFtVcXQray4uIT88P052BXkABPDsoNi47JFwQclg2/?office=quanvo@deloitte.comGet hashmaliciousBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  ocsp.sca1b.amazontrust.com0pz1on1.dllGet hashmaliciousBrowse
                                  • 143.204.15.203
                                  0pz1on1.dllGet hashmaliciousBrowse
                                  • 54.230.104.94
                                  opzi0n1.dllGet hashmaliciousBrowse
                                  • 13.224.89.175
                                  H5MmXCKkB1.exeGet hashmaliciousBrowse
                                  • 65.9.23.43
                                  new-awsd.exeGet hashmaliciousBrowse
                                  • 13.224.89.194
                                  CAISSON64.EXEGet hashmaliciousBrowse
                                  • 13.224.89.175
                                  Scan_Image_from_IMANAGE_MALTA.pdfGet hashmaliciousBrowse
                                  • 13.32.182.145
                                  http://civiljour.tkGet hashmaliciousBrowse
                                  • 13.32.177.52
                                  http://partypoker.comGet hashmaliciousBrowse
                                  • 143.204.10.85
                                  NEURILINK DOCUMENT. 20062018.pdfGet hashmaliciousBrowse
                                  • 13.32.177.193
                                  June 2018 LE Newsletter - Customer.pdfGet hashmaliciousBrowse
                                  • 13.32.177.194
                                  http://msofte.xyzGet hashmaliciousBrowse
                                  • 52.85.69.88
                                  http://www.djyokoo.comGet hashmaliciousBrowse
                                  • 54.230.14.183
                                  http://photobucket.com/user/nikkireed11/libraryGet hashmaliciousBrowse
                                  • 52.85.177.12
                                  Nts293901920190123.exeGet hashmaliciousBrowse
                                  • 13.32.210.149
                                  https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhbmonte.com%2Fups.com%2FWebTracking%2FDB-9080473587665%2F&data=02%7C01%7Cgtwilliams%40mercuryinsurance.com%7C545ee765273f439bfe4a08d5bf1a5960%7C0d8ef88be7e14f18b332ab564f6cda49%7C0%7C0%7C636625042252813480&sdata=CmjWmdDSndkUJNDHRF8U%2BNA3VlA9Sa%2BhAiYJSbxLNfY%3D&reserved=0Get hashmaliciousBrowse
                                  • 52.85.245.41
                                  http://sellmyhousefl.net/wp-content/plugins/loavescy.htmlGet hashmaliciousBrowse
                                  • 13.32.16.140
                                  http://email.lyftmail.com/c/eJwtkE1vgkAQhn8N3iDLsi5w4ACl2hqjsSaiXsiyO8o07EL4EO2vLzRN5jLJM-_MMyoSoXJhUb1ufa6h68QdclQRYVT5VHHbJa6wGQCxQ1rcbF8EoVAFdYPAW2BEiRuQJQkoYd6SOa7D3tNVzAlJg9TnPAktRuZoLbByZK0XZQQBDakMVSEplx5l3PNdqRjzfe5KEHJRRWXfN53lxRZdTTWOozNnzPNTWwwdmulQu2nrG1YwgStZK7C8NHttvsXHppHeV3M9LsutSWqRPTtxTn4O61V_PZfmYg7DhYb9J454yU5MrneP4rhRTqr2Cu8OGI18n11jZrJ6W-_KePN2ojkkobQoH3qdd_XQynkdmgf2oKa36QLavAWNRkH7j0mhG4F3M4ECns0s30aybLHrERzhNCVWFU6ejAgNz3vxJ_gLZsmCsQGet hashmaliciousBrowse
                                  • 54.192.185.212
                                  http://click.forescout.com/u/c0800IQW0TpU0jwRO0jQb00Get hashmaliciousBrowse
                                  • 13.33.23.161
                                  https://ironoil.com/pop/Get hashmaliciousBrowse
                                  • 52.85.88.97

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  AMAZON-02USInvoice.exeGet hashmaliciousBrowse
                                  • 18.192.122.2
                                  0pz1on1.dllGet hashmaliciousBrowse
                                  • 143.204.15.203
                                  SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                  • 3.13.31.214
                                  Order Specification Requirement With Ref. AMABINIF38535.exeGet hashmaliciousBrowse
                                  • 52.58.78.16
                                  RB1NsQ9LQf.exeGet hashmaliciousBrowse
                                  • 108.154.107.74
                                  0pz1on1.dllGet hashmaliciousBrowse
                                  • 54.230.104.94
                                  http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examplesGet hashmaliciousBrowse
                                  • 54.230.104.18
                                  https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1Get hashmaliciousBrowse
                                  • 52.216.10.91
                                  https://olhonabrasa.com.br/secure/zimbra/access/zimbra/index.phpGet hashmaliciousBrowse
                                  • 13.224.93.31
                                  https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                  • 13.224.93.109
                                  ACH WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                  • 13.224.93.46
                                  ACH WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                  • 13.224.93.45
                                  https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacbGet hashmaliciousBrowse
                                  • 18.200.151.216
                                  https://view.publitas.com/ipinsurance/demers-beaulne-inc/Get hashmaliciousBrowse
                                  • 75.2.88.188
                                  ACH - WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                  • 13.224.93.115
                                  ACH - WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                  • 54.186.140.208
                                  https://app.box.com/s/frm9cufh9ljwjmsdcrv6gioilzlttstrGet hashmaliciousBrowse
                                  • 15.237.76.117
                                  https://app.box.com/s/nhail927gb4xe0vkdigl8n7u4jallbvwGet hashmaliciousBrowse
                                  • 35.181.18.61
                                  PURCHASE ORDER 998S.htmlGet hashmaliciousBrowse
                                  • 13.224.93.47
                                  ACHWlRE REMlTTANCE ADVlCE..xlsxGet hashmaliciousBrowse
                                  • 13.224.93.45
                                  AS-HOSTINGERLTPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  KYC_DOC_.EXEGet hashmaliciousBrowse
                                  • 194.59.164.170
                                  MIT-MULTA5600415258.msiGet hashmaliciousBrowse
                                  • 2.57.89.27
                                  DEBIT NOTE DB-1130.exeGet hashmaliciousBrowse
                                  • 45.13.255.121
                                  WOHSFR01BZAC6VP3YOYSGIHL92J4B0XM50RJR34.dllGet hashmaliciousBrowse
                                  • 2.57.89.27
                                  YewBNZ2jsb.exeGet hashmaliciousBrowse
                                  • 212.1.211.44
                                  hjKM0s7CWW.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  n4uladudJS.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  https://sjsprs.com/tyoiulk/4442/sharepoint-D3/Get hashmaliciousBrowse
                                  • 45.87.80.77
                                  https://penexchange.azurefd.net/messages/#christina.sullivan@communitybankna.comGet hashmaliciousBrowse
                                  • 31.220.17.182
                                  fJmovgkDnD.exeGet hashmaliciousBrowse
                                  • 212.1.211.44
                                  T66DUJYHQE.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  http://www.kinkgalvannt.ej3kgalvand.vogueaccent.com//#aHR0cHM6Ly9tZWRhbm1hcnQubmV0L2pobi9JSy9vZjE/MDg5ODk5OTg4NTI3MDA5JmVtYWlsPWtnYWx2YW5AZGZ3am9icy5jb20=Get hashmaliciousBrowse
                                  • 185.224.138.34
                                  NzI1oP5E74.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  5T4uL3FPj8.exeGet hashmaliciousBrowse
                                  • 212.1.211.44
                                  g1wEhoios8.exeGet hashmaliciousBrowse
                                  • 2.57.89.177
                                  zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                  • 185.201.11.126
                                  0pzional1a.dllGet hashmaliciousBrowse
                                  • 141.136.36.252
                                  opzionalla.dllGet hashmaliciousBrowse
                                  • 141.136.36.252

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B359699-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):29272
                                  Entropy (8bit):1.7702259678801398
                                  Encrypted:false
                                  SSDEEP:48:IwgGcpr5GwpLlG/ap8OrGIpcn4GvnZpvnFGo/qp9nTGo4VpmnJGWpPyGWLT6p4GP:rEZzZB2O9WnRtnofnEVMnFuiHB
                                  MD5:156E692BF0C310B80D065D6C9ACD2ECD
                                  SHA1:29480C7045763B07E4EB98E5FE1160DCFAE79DC0
                                  SHA-256:D85B4AEBE70CCF73654E0F0DC06503490108D1756FC910B903CB155AFE6783CA
                                  SHA-512:99AD45682A8B135FF2BD71803D76FEFC49E307D5C149ED24DE99A5B85720E6613BB525E3527825C5CFFF902A5FFE818FEBA13DC851F15BBD5F2ED46168E83204
                                  Malicious:false
                                  Reputation:low
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D389D3E-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):29272
                                  Entropy (8bit):1.7674820833295641
                                  Encrypted:false
                                  SSDEEP:48:Iw4GcprZGwpLfsG/ap8fGorGIpcfrmKUGvnZpvfrmzGodqp9frmgGo4hpmfrmTGt:rMZTZG2V9WTmGtTmIfTmjhMTmRWltB
                                  MD5:1EDA4C84D58B71F3E3FA8435A4175994
                                  SHA1:1CBA78FA58683C00A3C918AB433DB1EF9E8E39AB
                                  SHA-256:717B3051545F68570C74AD8FA182660D30D4D50D8DE425ADBBDDF16199A0D9A7
                                  SHA-512:4B6484B3C43954F4FC4A8C6818445D735E351F63029BF703EDBFBFAC8A36EEC6B5CCF94683A8304D1A9AC661F2067A400F11B73AA7D48D414BE119CF6712CCCF
                                  Malicious:false
                                  Reputation:low
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B0ABCCC-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):29272
                                  Entropy (8bit):1.773036646978712
                                  Encrypted:false
                                  SSDEEP:48:IwDGcpr2GwpLiG/ap8DrGIpcPzGvnZpvPLGogqp9P5Go4xpmPGGWuOHGWcT6p5G/:r5ZuZI2D9WP0tPRfPaxMPcDoxB
                                  MD5:7E33C55C1B36200335D51CB7D1BC6FAB
                                  SHA1:5EFC490E6396E19F952DDDF74BB5D1A0990A7C52
                                  SHA-256:45C66D8EACB83D4A7361A09EECD1F96528D966A59E945084DD37E98D5C5262D0
                                  SHA-512:242EBC98836A405A95BA1B520CD471B9DEC331C32FEB2060AADDDB208CDFBC1A5439498A8DE6D84B12A4EF04A63C097EF4674A0FE8CCABD09B02C509FDAF7553
                                  Malicious:false
                                  Reputation:low
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD7B6B22-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):29272
                                  Entropy (8bit):1.7736256327275017
                                  Encrypted:false
                                  SSDEEP:48:IwWGcprnGwpLzG/ap8mrGIpcfuKGvnZpvfuTGoKqp9fupGo4NpmfRQGWAQNGWKTg:rKZxZT2m9WfctfAffTNMf0w0vB
                                  MD5:E4FA8619441F28158107A7CC226DF999
                                  SHA1:4642B30B3D675D6C79AE54F4A49E785793F4C24F
                                  SHA-256:05BB1F6DA7C2D28C3CFC29EA1B62D4EB93067FC8422B025E02ECF9132CA13F34
                                  SHA-512:4285EAE12BF61A2F73A53F1533E6CF215687C0A0D6F2BAB820209E9786EAB213E7E2579FE61DA5FBB9F4526014B3A533AE34B1210C229E90DC2AFBFA8202F79D
                                  Malicious:false
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B35969B-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):27292
                                  Entropy (8bit):1.8148624617600733
                                  Encrypted:false
                                  SSDEEP:48:IwLGcpr6GwpaAG4pQ4GrapbScrGQpBaGHHpcYsTGUp8TGzYpmXYYGopsxJ6Yct8h:rRZiQg6GBScFjh2YkWJMIYuWpRW7mA
                                  MD5:ED2AE20F3BACF14448B34B4847330C7D
                                  SHA1:DD51D88648A7AD7CC93E56A1C0D6900DCE1BE589
                                  SHA-256:23303BDF0FE14B61C84C5E5B15F16ABE50E22DB4870B233638E140ACD5F06D91
                                  SHA-512:D041A54DC42E407552D46434F0FCBA3921BB98041E9636983651C0FD65F229ADBFA25236C905930B55DCBD9E522DFA822AB34516BE14C7BB178710834271FCD9
                                  Malicious:false
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):27324
                                  Entropy (8bit):1.8273581827480831
                                  Encrypted:false
                                  SSDEEP:96:r7ZaQi6fBSZFjC2dkW+MhYOg3hRg323GA:r7ZaQi6fkZFjC2dkW+MhYOgxRgG3GA
                                  MD5:88BFBF97FAF13DDA7A5EABC79ABA0022
                                  SHA1:169733E793BB108F5E177A63FCD34904C88173D5
                                  SHA-256:EF9829E71904C99528D847532439A1B9F63D8A782EB5927A318CB834B87EF5D1
                                  SHA-512:75E4733887B92B5E056E1A6EC1F6FA1D8DC29FF2B1486C5350A9D3FD8CEA0D54870BA34B8087396364A43C48F311B4C88F87B279DF81444738C91D62E85FE6C2
                                  Malicious:false
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B0ABCCE-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):27292
                                  Entropy (8bit):1.8158237871349694
                                  Encrypted:false
                                  SSDEEP:96:raZdQl6nBSd6Fjx2RkWwMbYutnuLRRtnuLqmA:raZdQl6nkEFjx2RkWwMbYutQRtVmA
                                  MD5:E9F9D717ADC9EE1D9A7CF1E2A9A9BEB0
                                  SHA1:B5CD3040BF411F84942C5D26F08F009947FC833B
                                  SHA-256:7A050EB709E5E86141DFD2FEFD7C0303C779D2708B2B4600EF5FCFED00108360
                                  SHA-512:B76264C0DAADC7DE958C97F1D95CE486406C0490A4800E6E45A8814FA816818CC2BA6E500B1CC1935DBB516595419EBAF3D2E9B7EAB3E936E58C62CF2D2FD434
                                  Malicious:false
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AD7B6B24-2A8F-11EB-90E4-ECF4BB862DED}.dat
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:Microsoft Word Document
                                  Category:dropped
                                  Size (bytes):19032
                                  Entropy (8bit):1.5960414385549302
                                  Encrypted:false
                                  SSDEEP:48:IweGcprXGwpaXG4pQbGrapbSEcrGQpBlwGHHpcl1sTGUpQlzrGcpm:rCZBQZ6PBSEcFjlf2l1k6lNg
                                  MD5:93E5AB0ACD821C43CE376B0FABEFAB93
                                  SHA1:8569A7B3377B518F6394128E59AB49177C8000AD
                                  SHA-256:E00DFD463A7723B812E5EA52431F9501D189F7F4698569379235248308D75727
                                  SHA-512:4E70AB3C1C0919BC3BF8923673E35128BD4A9FB2BD875C9B64EA292D5191826FEB03B8F88048AB7E666754A281E77062219CE94680C55B6E95AF8E2C29A296CB
                                  Malicious:false
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):656
                                  Entropy (8bit):5.104664058106168
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxOEwPAaMPAAnWimI002EtM3MHdNMNxOEwPAaMPAAnWimI00ObVbkEtMb:2d6NxO5A/AASZHKd6NxO5A/AASZ76b
                                  MD5:6C8A496DF5142B282E7AE8105F8E4F22
                                  SHA1:7B1559A5CE6A561BD17DB0FB28EFD8A8BA21A19C
                                  SHA-256:CCD5C15A4363CE47B98C25E00EE72D54C541BA7953D071AA9FCCB7098D4FFDF3
                                  SHA-512:E010822593484948C49C121CB5411AE90B9262C3B59FA2FC983A46B6A44C6D839E281A07F20665BFE8F4E0FCAB3B5729F6BFCAD3BEF2107EF6558294CB653C7E
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):653
                                  Entropy (8bit):5.105893673607458
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxe2kwvJIMvJqnWimI002EtM3MHdNMNxe2kwvJIMvJqnWimI00Obkak6Es:2d6NxrpjESZHKd6NxrpjESZ7Aa7b
                                  MD5:6F34A888CA43A132BD51B8487D7B7608
                                  SHA1:FE68CD6D9818E898C747B8FA1FE16257B8ECC8FB
                                  SHA-256:448240B2AF430CA688357A7AFEF6B4D636835C551FCBD2CFD24EE584DAAAF546
                                  SHA-512:B3AAADCC0677E4CCA5D67761A686D3CDA8985ABED3B612929F2DDAE0CE5D55C9325D12EAEDE151F5A60BC23CD8979A88523C0B5416026A2C94471B49CD5FF730
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x48ef4cf0,0x01d6be9c</date><accdate>0x48ef4cf0,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x48ef4cf0,0x01d6be9c</date><accdate>0x48ef4cf0,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):662
                                  Entropy (8bit):5.133992913793655
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxvLwLMbnWimI002EtM3MHdNMNxvLwLMbnWimI00ObmZEtMb:2d6NxvBSZHKd6NxvBSZ7mb
                                  MD5:668C77A8F02C9A2CA3804D701AB3DF26
                                  SHA1:E989A4234C09039E41A9F4386506A92830F92AD1
                                  SHA-256:AC40FA129BFA5B063D62413D730C7BD54AF3BC0FF016E518CC8A828C9125DCAE
                                  SHA-512:A8DF4EF96BDCE49CE2619124265D19E67E086A5D88DA37E9670855FB3BB4795EDAA190E8AFE2AE423476B8E62CFD426C3AE4FDD942A927807111E9A48E1CCACC
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):647
                                  Entropy (8bit):5.125626281580829
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxiwSMonWimI002EtM3MHdNMNxiwSMPAAnWimI00Obd5EtMb:2d6NxkSZHKd6NxTAASZ7Jjb
                                  MD5:B539DD3C11ACF8A4ADC5833E3690072F
                                  SHA1:55E38780D6EAD4080C0F43DE4845ACE3A6DDDA3E
                                  SHA-256:E47E75FA01D0D4F8460458C4030D64311F28DDDBA3E1C3320E6B97883948E0DA
                                  SHA-512:1619EE26C5FB696F2815BD23903D95215599AB71892FBE2C115BDDB311D4D906F38E62BF245C76C3716F51A434EC79185770A42913234C6D9E6D9F73FBAF9DFD
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):656
                                  Entropy (8bit):5.142936092286318
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxhGwwLMbnWimI002EtM3MHdNMNxhGwwLMbnWimI00Ob8K075EtMb:2d6NxQoSZHKd6NxQoSZ7YKajb
                                  MD5:7DE46CCB4E962BE0A878E1D938EBD0A9
                                  SHA1:C255890492AEB6B635774A29851AC03F52818C3C
                                  SHA-256:5267FACC0C180D6EF8E01BA08CD9D91FC362BE07A8A18F15711E1B8AFCAE5FB3
                                  SHA-512:486CF8CF5081B5AF8B965EDB5B482ACFEF597930C5B7F0CE65059BDCA7ABF2FBD072AB778D99B2881163C267CB9CA3081E83A448C32F2C6BC3B64B3611C2D20E
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):653
                                  Entropy (8bit):5.107882293026485
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNx0nwPAaMPAAnWimI002EtM3MHdNMNx0nwPAaMPAAnWimI00ObxEtMb:2d6Nx0eA/AASZHKd6Nx0eA/AASZ7nb
                                  MD5:B7F257F0E8379402C918FDC983CD50C6
                                  SHA1:D1ACBA425404414130D39769DA8B05316C19DF13
                                  SHA-256:98B0571DC3E90813965B22BE89803AFC7493FB203A971C9DD9DD96AB0AE458C2
                                  SHA-512:00B96904667DBBCDEB614D0796C1A9A35E070F55A44A489F1CCA0220B0564F880BC9A177648FEBA76BBB8C2971B53BDBB2D8D2000B347570ECED2517B2521D29
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):656
                                  Entropy (8bit):5.145087759376865
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxxwPAaMPAAnWimI002EtM3MHdNMNxxwPAaMPAAnWimI00Ob6Kq5EtMb:2d6NxsA/AASZHKd6NxsA/AASZ7ob
                                  MD5:F5DDD7D8F6E9EAEBE683AC0432B6D8D5
                                  SHA1:79E5C5D07B97CFE4D47B073CBF43228E07C3755B
                                  SHA-256:3D612F12DA05D3ADE07F6704383936D1DFFB953289FBD51B729B11A64BD6EF45
                                  SHA-512:3FB04FF0385020CA70CFD1FAD33CF95A6B1654E6CBAACEA5CD40CA28FE9834D5D98BAAA9CC7FEA44E2A862650C904023E1D4D64CDB98B3F9E7884111034CD962
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):659
                                  Entropy (8bit):5.119586733711321
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxcwSMonWimI002EtM3MHdNMNxcwSMonWimI00ObVEtMb:2d6Nx+SZHKd6Nx+SZ7Db
                                  MD5:9653C95F64293251FDFD2B37E8C9FD87
                                  SHA1:05F6E309D65E51268BE070967F2207C4FC7B34C0
                                  SHA-256:746E495724D7C5E2F7465E07226885FBE581C9234FDACA15060953B3C8135457
                                  SHA-512:91B9B40A1F8FB81CC2DF2A55F729D4C45A2DFA73179432489A73824D3606F75F3F941202B22979C228344E34E7B6834164FE838B63853EF0363C55A592909DEB
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):653
                                  Entropy (8bit):5.107105400201478
                                  Encrypted:false
                                  SSDEEP:12:TMHdNMNxfnwSMonWimI002EtM3MHdNMNxfnwSMonWimI00Obe5EtMb:2d6NxTSZHKd6NxTSZ7ijb
                                  MD5:C2C0F75BF4439B04599CF24C41FF54C3
                                  SHA1:2F6ACEBA1D27D9947E5F57C2C51CF57D816F6E96
                                  SHA-256:3325D266EB62263CF550DE60F15C8427B0317E3D274EEE877BF2C15DC75A3B66
                                  SHA-512:2498952295A821E5EB64F8CB1E864833906374B95F870355978C6D5F1D862DC171583848604603D40147FB177D639F32FC2F9D15B59CE7243DF27960A001D5F1
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1612
                                  Entropy (8bit):4.869554560514657
                                  Encrypted:false
                                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                  MD5:DFEABDE84792228093A5A270352395B6
                                  SHA1:E41258C9576721025926326F76063C2305586F76
                                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                  Malicious:false
                                  Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                  Category:downloaded
                                  Size (bytes):748
                                  Entropy (8bit):7.249606135668305
                                  Encrypted:false
                                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                  MD5:C4F558C4C8B56858F15C09037CD6625A
                                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/down.png
                                  Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:downloaded
                                  Size (bytes):4720
                                  Entropy (8bit):5.164796203267696
                                  Encrypted:false
                                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/errorPageStrings.js
                                  Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):12105
                                  Entropy (8bit):5.451485481468043
                                  Encrypted:false
                                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                  MD5:9234071287E637F85D721463C488704C
                                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                  Malicious:false
                                  Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1612
                                  Entropy (8bit):4.869554560514657
                                  Encrypted:false
                                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                  MD5:DFEABDE84792228093A5A270352395B6
                                  SHA1:E41258C9576721025926326F76063C2305586F76
                                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                  Malicious:false
                                  Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserror[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:downloaded
                                  Size (bytes):2997
                                  Entropy (8bit):4.4885437940628465
                                  Encrypted:false
                                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                  MD5:2DC61EB461DA1436F5D22BCE51425660
                                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0008
                                  Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):5.164796203267696
                                  Encrypted:false
                                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                  Malicious:false
                                  Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:downloaded
                                  Size (bytes):12105
                                  Entropy (8bit):5.451485481468043
                                  Encrypted:false
                                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                  MD5:9234071287E637F85D721463C488704C
                                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
                                  Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:downloaded
                                  Size (bytes):1612
                                  Entropy (8bit):4.869554560514657
                                  Encrypted:false
                                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                  MD5:DFEABDE84792228093A5A270352395B6
                                  SHA1:E41258C9576721025926326F76063C2305586F76
                                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/NewErrorPageTemplate.css
                                  Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                  Category:dropped
                                  Size (bytes):748
                                  Entropy (8bit):7.249606135668305
                                  Encrypted:false
                                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                  MD5:C4F558C4C8B56858F15C09037CD6625A
                                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                  Malicious:false
                                  Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):12105
                                  Entropy (8bit):5.451485481468043
                                  Encrypted:false
                                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                  MD5:9234071287E637F85D721463C488704C
                                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                  Malicious:false
                                  Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\m[1].avi
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:data
                                  Category:downloaded
                                  Size (bytes):5
                                  Entropy (8bit):2.321928094887362
                                  Encrypted:false
                                  SSDEEP:3:3:3
                                  MD5:5BFA51F3A417B98E7443ECA90FC94703
                                  SHA1:8C015D80B8A23F780BDD215DC842B0F5551F63BD
                                  SHA-256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
                                  SHA-512:4CD03686254BB28754CBAA635AE1264723E2BE80CE1DD0F78D1AB7AEE72232F5B285F79E488E9C5C49FF343015BD07BB8433D6CEE08AE3CEA8C317303E3AC399
                                  Malicious:false
                                  IE Cache URL:http://ocsp.sca1b.amazontrust.com/images/EuNoqB8rz283d_2F7/B2kFZAZsTPTP/AjxLGzItOQW/LGcQAVabLTNFrn/ibQqX2QKAtaqH2QpDHFdT/6FHFM3jb_2BEx6vj/K0T2UpF9ftSsAhC/WBke3cKFZQASphRr9z/wDAeGeXXF/ciy8TXpgvP0d/PQ9l29nE/m.avi
                                  Preview: 0....
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:downloaded
                                  Size (bytes):2997
                                  Entropy (8bit):4.4885437940628465
                                  Encrypted:false
                                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                  MD5:2DC61EB461DA1436F5D22BCE51425660
                                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
                                  Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[2]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:downloaded
                                  Size (bytes):2997
                                  Entropy (8bit):4.4885437940628465
                                  Encrypted:false
                                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                  MD5:2DC61EB461DA1436F5D22BCE51425660
                                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                  Malicious:false
                                  IE Cache URL:res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=0
                                  Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                  Category:dropped
                                  Size (bytes):748
                                  Entropy (8bit):7.249606135668305
                                  Encrypted:false
                                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                  MD5:C4F558C4C8B56858F15C09037CD6625A
                                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                  Malicious:false
                                  Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                  C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):89
                                  Entropy (8bit):4.42357097083791
                                  Encrypted:false
                                  SSDEEP:3:oVXVPxFVcfRz3m48JOGXnFPxFVcfRz3bUCn:o9F25z3bqV25z3bUC
                                  MD5:E549CF1345A5E1416907BD4A31550193
                                  SHA1:85D54A445F723EB7FD7D0CFDC609D09ED41F6D38
                                  SHA-256:C7B0F6B6B233DE0C4ED6BF99473F1407C04EB47144C6BBE70C1F456C2A494639
                                  SHA-512:D9EB28A9C8660335BD62F481727B30B69306F4BCC9916E9ACB728A9FFD321083B1A1802AD7AED69207B453DBB75B090717599681CA7B68C2C508166C488809BB
                                  Malicious:false
                                  Preview: [2020/11/19 09:49:45.448] Latest deploy version: ..[2020/11/19 09:49:45.448] 11.211.2 ..
                                  C:\Users\user\AppData\Local\Temp\~DF22103AC392F61390.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):39481
                                  Entropy (8bit):0.5364914000562735
                                  Encrypted:false
                                  SSDEEP:96:kBqoxKAuvScS+WQKjQKtnuLetnuLqtnuL7:kBqoxKAuqR+WQKjQKtBtxtW
                                  MD5:A3CC9AA0E1552246B7909AF375A2B06F
                                  SHA1:5D38B200B9F6017EAE02DEEF99C6A994358CAACA
                                  SHA-256:022C2249D7927396EF940ED6BE4D29DC7D8235B8B4FBF3B067B8801B99B9004C
                                  SHA-512:A1B7E37EA1DE44691BE209768ED5891A76EEA45F7B0C6175FAEE2EC1FB78A5A94AADA7CB0D4A6FF5C2EC61A5C80DBE19AE04066BA11028D5E829E888D5D3D64A
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DF35CB6A5435A64CBC.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):12933
                                  Entropy (8bit):0.4079781348922678
                                  Encrypted:false
                                  SSDEEP:24:c9lLh9lLh9lIn9lIn9lofd/rF9lofd/R9lWfd/k0r8a:kBqoIfkfafS+N
                                  MD5:682EEE70BF9FB50AF87A5B89A74E375F
                                  SHA1:E2AA9A91B0253DD9ABA93AC599FE8443FD044C88
                                  SHA-256:918689D720A019B1C958416B6B2E3971ED3B63A3883B2D703C356878FD58E704
                                  SHA-512:E0D38010F066ABCF7B5183BACAA55C12C0B7C3E0204B63FE4A30E47CF66F45AA5C894AF42FEE28CE5C729332AB7E5A7CD05CDB3F0636E3A0E977EA70F00389C9
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DF413BF6AC960E1A11.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):39481
                                  Entropy (8bit):0.5378660743222184
                                  Encrypted:false
                                  SSDEEP:48:kBqoxKAuvScS+OIirXIXSxJ6YctYxJ6YctcxJ6YctV:kBqoxKAuvScS+OIir4CWKWOWf
                                  MD5:33D994A22E2BFC472865EDD49A6D4EFA
                                  SHA1:1B3B3CFF183F8D94327B5D6D7227DB1972A8C413
                                  SHA-256:D72C674D88DA60D5417314CEC612167355E75E9A2EECECCF8EC90634810914CD
                                  SHA-512:B23115E0585DCB75EC4B399106A4F61BEF6AB6644B084CB149542FBE6E63B2D236EFF64E93088E2FA11BC9B10B3AC3FC7BF298CD4F87F702AFAD14A0CEBD2580
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DF76703774B46533F1.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):12933
                                  Entropy (8bit):0.40963660620994535
                                  Encrypted:false
                                  SSDEEP:24:c9lLh9lLh9lIn9lIn9loCF9lo+9lWKfOrZzxfOrOzl:kBqoIJfKWVxWEl
                                  MD5:3E034324E1A00D4E3B3D5AB44DF5336A
                                  SHA1:DEA5CE0909AC90AF0EA0963389886A0306EC4BBB
                                  SHA-256:965A8CC7CF98FBD2071681FCB4AE3526106783C6E81486E4BAEE9B065FE26E68
                                  SHA-512:4A82740836E4FA18E4DF0A1FE165F95C4A101FEC2DD44B1A0F9A8F5C5F2BAB6222418827A6CFDC31A8964075C114356B787CE6B4BA2D9C516D130A563FF67ADC
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DF8E8C67F93159E081.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):29989
                                  Entropy (8bit):0.3277343734892887
                                  Encrypted:false
                                  SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwlp9lwlJ9l2lf/9l2lj:kBqoxKAuvScS+lKlslf+lalzy
                                  MD5:0DBD2445112DDFFE8A0B533237536FC9
                                  SHA1:A1D562A7082D25D2646B8FE464F3C6DE93A2F7EC
                                  SHA-256:1E0089985099743BD093576063A6FCDB6A2D1CB424B74FCB67C77A72432EFC5B
                                  SHA-512:38974283CC062CC51EE3E7953FEF728677CE0F852B255F16D58D9AF491F0206ECB97D83E1697B2A924DAB7D8917DDE38D469034BDC7776DFDC8BD9E73590F7F6
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DFA95841F9D467E700.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):39545
                                  Entropy (8bit):0.5515732971953758
                                  Encrypted:false
                                  SSDEEP:48:kBqoxKAuvScS+LFX+KIKygOm6ByLzML4gOm6ByLzMLcgOm6ByLzMLV:kBqoxKAuvScS+LFX+Fbg3Lg3Dg3I
                                  MD5:C65A1B88BBE699C52530842165A11C40
                                  SHA1:967B3B908AD216DBBD0D5491559C831F490F5843
                                  SHA-256:BBC4FD50BEBB5951F13084B2BB8F14E97AE95AA502F6D383A877715F03609153
                                  SHA-512:8455ADEDB71D81D73CEA7EF3EC689FA248453EB7FD54C54BB8BF0BCD2E24EAF91914448EC8D2F8B3271834AF9D39BC6173F3E046A5CF172A4D116626E6BC88A7
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DFDB1C02956F83098A.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):12933
                                  Entropy (8bit):0.4088109578980026
                                  Encrypted:false
                                  SSDEEP:24:c9lLh9lLh9lIn9lIn9lolcF9lolc9lWlkiWU:kBqoI97HWU
                                  MD5:92D94790AB6214264AE7B21CB9B9BB9D
                                  SHA1:47D96221E552C14E5505C32CAF823EB6C517FC52
                                  SHA-256:3D968333B7D9E0AD1B53BB3C01EA319E5408395B264EA5C99CF2447972DFFAC4
                                  SHA-512:41A3F644788B21BA0C82ABC1B6804F4F6EEFA80F9553306AF0F16CDBE71B1008213655064A777CB2077949A5DC57390B11C3B380EA970B4A1D725D3F327C866A
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DFE636D75B21CCA5EF.TMP
                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):12933
                                  Entropy (8bit):0.40973288027612026
                                  Encrypted:false
                                  SSDEEP:24:c9lLh9lLh9lIn9lIn9louF9loS9lWv3WY1:kBqoINLv3t
                                  MD5:2035A5D0FDA4347F59A4038E63541CD7
                                  SHA1:B76430B36A96CCFC6BC0795A1E67E0159F3DC5C6
                                  SHA-256:A490EDADAEE6AA65710E04100379AFFE370E40A41C15319FB5DA6DC5BAA36A36
                                  SHA-512:36E074D9EAFD05668D313AAEF7F56BA317DFBE64F9DA4C72C4AFFBD013E7974CE7323A5E2E2E51E5CC7D952416592EBB923A3803FB8C84F1125E5DEF05FB478D
                                  Malicious:false
                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):4.2139881269412145
                                  TrID:
                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.39%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.21%
                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                  • DOS Executable Generic (2002/1) 0.20%
                                  • VXD Driver (31/22) 0.00%
                                  File name:0pz1on1.dll
                                  File size:552448
                                  MD5:3bd94cd9d5af80967956a0c2789bf180
                                  SHA1:7d0b946bfa133ec9c10cb1cca0007139597b2011
                                  SHA256:e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
                                  SHA512:610e44c03c8a7ec8a59825a32ec349576474abd4888aed3efcf89799c020b53d89d4ab0309aa78452bbdf9f7b2fe463c312d8c18e2901d8335c4df02df73cddc
                                  SSDEEP:1536:Ab4BFsd/uqUfnLwBH+AwDD41UPY1NvFQJZWBte:AbkFq/uqUfnbHqtQ+Bg
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)._...........!...2.V..........p........p.............................................................................

                                  File Icon

                                  Icon Hash:74f0e4ecccdce0e4

                                  Static PE Info

                                  General

                                  Entrypoint:0x10001070
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x10000000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
                                  DLL Characteristics:
                                  Time Stamp:0x5FB62906 [Thu Nov 19 08:12:54 2020 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:18cb5c18face4302b794af9a2931a4bc

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 3Ch
                                  mov edx, dword ptr [ebp+08h]
                                  mov dword ptr [1000B3B8h], edx
                                  mov dword ptr [1000B398h], ebp
                                  mov dword ptr [ebp-1Ch], 00000001h
                                  mov dword ptr [ebp-24h], 00000001h
                                  mov dword ptr [ebp-34h], 00000001h
                                  mov dword ptr [ebp-0Ch], 00000001h
                                  mov dword ptr [ebp-18h], 00000001h
                                  mov dword ptr [ebp-20h], 00000001h
                                  mov dword ptr [ebp-30h], 00000001h
                                  mov dword ptr [ebp-08h], 00000001h
                                  mov dword ptr [ebp-14h], 00000001h
                                  mov dword ptr [ebp-28h], 00000001h
                                  mov dword ptr [ebp-10h], 00000001h
                                  mov dword ptr [ebp-2Ch], 00000001h
                                  mov dword ptr [ebp-04h], 00000001h
                                  mov eax, dword ptr [ebp-04h]
                                  push eax
                                  call dword ptr [1000ADA0h]
                                  mov ecx, dword ptr [ebp-04h]
                                  push ecx
                                  call dword ptr [1000ACF4h]
                                  mov edx, dword ptr [ebp-34h]
                                  push edx
                                  call dword ptr [1000ADA4h]
                                  mov eax, dword ptr [ebp-04h]
                                  push eax
                                  call dword ptr [1000ADA8h]
                                  mov ecx, dword ptr [ebp-1Ch]
                                  push ecx
                                  call dword ptr [1000ADA8h]
                                  call dword ptr [1000ACF8h]
                                  mov edx, dword ptr [ebp-28h]
                                  push edx
                                  call dword ptr [1000ADACh]
                                  call dword ptr [1000ACFCh]
                                  call dword ptr [1000AD00h]
                                  movzx eax, word ptr [ebp-28h]
                                  push eax
                                  call dword ptr [0000AD04h]

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xab080x8c.data
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000xdc0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x890000x1638.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xace00x14c.data
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x55140x5600False0.153161337209data4.85626266206IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rdata0x70000xe10x200False0.302734375data2.19210691117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x80000x34240x3400False0.118765024038data2.80411052166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rdata80xc0000x7b6840x7b800False0.0964187436741data3.93481809931IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0x880000xdc00xe00False0.398716517857data5.22871314327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x890000x16380x1800False0.744791666667data6.62590015244IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  REGISTRY0x8818c0x1b4ASCII text, with CRLF line terminatorsEnglishUnited States
                                  REGISTRY0x883400x137ASCII text, with CRLF line terminatorsEnglishUnited States
                                  REGISTRY0x884780x134ASCII text, with CRLF line terminatorsEnglishUnited States
                                  REGISTRY0x885ac0x136ASCII text, with CRLF line terminatorsEnglishUnited States
                                  RT_RCDATA0x886e40x332XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                  RT_VERSION0x88a180x3a8dataEnglishUnited States

                                  Imports

                                  DLLImport
                                  KERNEL32.dllGetLastError, GetModuleHandleW, VirtualAlloc
                                  USER32.dllLoadCursorA, GetWindowTextLengthA, GetMenuCheckMarkDimensions, GetForegroundWindow, CreateMenu, IsCharAlphaNumericW, GetLastActivePopup, IsIconic, CloseClipboard, CharLowerW, DestroyCursor, GetKeyboardLayout, IsWindowVisible, VkKeyScanA, CreatePopupMenu, GetSysColor, CharUpperW, GetKeyState, GetFocus, ReleaseCapture, GetDesktopWindow, InSendMessage, IsGUIThread, WindowFromDC, IsCharUpperW, DestroyMenu, GetTopWindow, DestroyIcon, GetMessageTime, LoadCursorFromFileW, GetSystemMetrics, GetParent, GetWindowRect, PostMessageW, FindWindowW, DialogBoxParamW, GetDlgItem, SetWindowTextW, LoadStringW, EndDialog, RegisterClassW, GetClassInfoW, SetWindowPos
                                  GDI32.dllCloseMetaFile, EndDoc, AbortDoc, CloseEnhMetaFile, CloseFigure, GetMapMode, CancelDC, AbortPath, GetColorSpace, UpdateColors, CreateSolidBrush, CreateMetaFileA, GetTextCharset, GetEnhMetaFileBits, GetStockObject
                                  ADVAPI32.dllRegQueryValueExA, RegOpenKeyA, RegCloseKey, OpenServiceW, OpenSCManagerW, DeleteService, CloseServiceHandle, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW
                                  SHLWAPI.dllSHDeleteValueW, PathCombineW, PathFileExistsW, PathRemoveFileSpecW, SHDeleteKeyW
                                  IMM32.dllImmDisableIME

                                  Version Infos

                                  DescriptionData
                                  LegalCopyright Microsoft Corporation. All rights reserved.
                                  InternalNameMcx2Prov.exe
                                  FileVersion6.1.7601.17514 (win7sp1_rtm.101119-1850)
                                  CompanyNameMicrosoft Corporation
                                  ProductNameMicrosoft Windows Operating System
                                  ProductVersion6.1.7601.17514
                                  FileDescriptionMCX2 Provisioning library
                                  OriginalFilenameMcx2Prov.exe
                                  Translation0x0409 0x04b0

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 19, 2020 09:49:23.085170984 CET4973180192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.085223913 CET4973280192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.124098063 CET8049731195.110.58.42192.168.2.3
                                  Nov 19, 2020 09:49:23.124125957 CET8049732195.110.58.42192.168.2.3
                                  Nov 19, 2020 09:49:23.124221087 CET4973180192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.125086069 CET4973280192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.125246048 CET4973280192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.164325953 CET8049732195.110.58.42192.168.2.3
                                  Nov 19, 2020 09:49:23.164351940 CET8049732195.110.58.42192.168.2.3
                                  Nov 19, 2020 09:49:23.164450884 CET4973280192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.165677071 CET4973280192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:49:23.204705000 CET8049732195.110.58.42192.168.2.3
                                  Nov 19, 2020 09:49:24.274219036 CET4973180192.168.2.3195.110.58.42
                                  Nov 19, 2020 09:50:16.806704998 CET4974980192.168.2.3143.204.15.36
                                  Nov 19, 2020 09:50:16.806818962 CET4975080192.168.2.3143.204.15.36
                                  Nov 19, 2020 09:50:16.823184013 CET8049749143.204.15.36192.168.2.3
                                  Nov 19, 2020 09:50:16.823216915 CET8049750143.204.15.36192.168.2.3
                                  Nov 19, 2020 09:50:16.823318005 CET4974980192.168.2.3143.204.15.36
                                  Nov 19, 2020 09:50:16.823349953 CET4975080192.168.2.3143.204.15.36
                                  Nov 19, 2020 09:50:16.824542046 CET4974980192.168.2.3143.204.15.36
                                  Nov 19, 2020 09:50:16.840802908 CET8049749143.204.15.36192.168.2.3
                                  Nov 19, 2020 09:50:16.964099884 CET8049749143.204.15.36192.168.2.3
                                  Nov 19, 2020 09:50:16.964207888 CET4974980192.168.2.3143.204.15.36

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 19, 2020 09:48:24.593261003 CET6418553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:24.612023115 CET53641858.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:25.854914904 CET6511053192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:25.889102936 CET53651108.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:35.590502024 CET5836153192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:35.604094028 CET53583618.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:35.843070030 CET6349253192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:35.855712891 CET53634928.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:39.967880964 CET6083153192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:39.981547117 CET53608318.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:40.409334898 CET6010053192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:40.461587906 CET53601008.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:54.589199066 CET5319553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:54.601366997 CET53531958.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:55.586561918 CET5319553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:55.599673986 CET53531958.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:56.178354025 CET5014153192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:56.205672026 CET53501418.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:56.601375103 CET5319553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:56.613933086 CET53531958.8.8.8192.168.2.3
                                  Nov 19, 2020 09:48:58.617213011 CET5319553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:48:58.633526087 CET53531958.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:02.636940956 CET5319553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:02.649337053 CET53531958.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:03.574007988 CET5302353192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:03.586792946 CET53530238.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:04.396584034 CET4956353192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:04.412132978 CET53495638.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:10.035873890 CET5135253192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:10.048124075 CET53513528.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:13.723436117 CET5934953192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:13.736040115 CET53593498.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:15.256889105 CET5708453192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:15.276906967 CET53570848.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:21.721992016 CET5882353192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:21.740271091 CET53588238.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:23.043797016 CET5756853192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:23.063628912 CET53575688.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:23.538830042 CET5054053192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:23.550951958 CET53505408.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:24.403798103 CET5436653192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:24.417422056 CET53543668.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:43.221661091 CET5303453192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:43.234668016 CET53530348.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:44.038811922 CET5776253192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:44.059180975 CET53577628.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:44.820683002 CET5543553192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:44.838996887 CET53554358.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:44.851521969 CET5071353192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:44.864701033 CET53507138.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:45.908472061 CET5613253192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:45.935131073 CET53561328.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:45.982580900 CET5898753192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:45.995425940 CET53589878.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:46.343621969 CET5657953192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:46.356445074 CET53565798.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:49.027687073 CET6063353192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:49.040817022 CET53606338.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:53.835269928 CET6129253192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:53.848507881 CET53612928.8.8.8192.168.2.3
                                  Nov 19, 2020 09:49:59.754810095 CET6361953192.168.2.38.8.8.8
                                  Nov 19, 2020 09:49:59.768485069 CET53636198.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:00.573509932 CET6493853192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:00.585891008 CET53649388.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:01.409949064 CET6194653192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:01.423518896 CET53619468.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:10.971369028 CET6491053192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:10.983454943 CET53649108.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:11.765182972 CET5212353192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:11.777738094 CET53521238.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:12.502954960 CET5613053192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:12.516114950 CET53561308.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:15.738631964 CET5633853192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:15.757278919 CET53563388.8.8.8192.168.2.3
                                  Nov 19, 2020 09:50:16.770452976 CET5942053192.168.2.38.8.8.8
                                  Nov 19, 2020 09:50:16.792026997 CET53594208.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Nov 19, 2020 09:49:23.043797016 CET192.168.2.38.8.8.80xf960Standard query (0)billinglines.comA (IP address)IN (0x0001)
                                  Nov 19, 2020 09:50:16.770452976 CET192.168.2.38.8.8.80x9f01Standard query (0)ocsp.sca1b.amazontrust.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Nov 19, 2020 09:49:23.063628912 CET8.8.8.8192.168.2.30xf960No error (0)billinglines.com195.110.58.42A (IP address)IN (0x0001)
                                  Nov 19, 2020 09:49:23.063628912 CET8.8.8.8192.168.2.30xf960No error (0)billinglines.com92.242.40.221A (IP address)IN (0x0001)
                                  Nov 19, 2020 09:50:16.792026997 CET8.8.8.8192.168.2.30x9f01No error (0)ocsp.sca1b.amazontrust.com143.204.15.36A (IP address)IN (0x0001)
                                  Nov 19, 2020 09:50:16.792026997 CET8.8.8.8192.168.2.30x9f01No error (0)ocsp.sca1b.amazontrust.com143.204.15.47A (IP address)IN (0x0001)
                                  Nov 19, 2020 09:50:16.792026997 CET8.8.8.8192.168.2.30x9f01No error (0)ocsp.sca1b.amazontrust.com143.204.15.203A (IP address)IN (0x0001)
                                  Nov 19, 2020 09:50:16.792026997 CET8.8.8.8192.168.2.30x9f01No error (0)ocsp.sca1b.amazontrust.com143.204.15.29A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • billinglines.com
                                  • ocsp.sca1b.amazontrust.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.349732195.110.58.4280C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  TimestampkBytes transferredDirectionData
                                  Nov 19, 2020 09:49:23.125246048 CET4596OUTGET /images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxfYNsV0RjT7n0rzu_2/FVrjLW0Lx1_2FNeyWne9gk/0rFmuW9zFu5BV/c7RWa33N/1NgLVJFWI2qb9NTj9vbwwI_/2F2HNzSZxp/DIXVF0dEz33_2BLha/h6wWaOyw/2.avi HTTP/1.1
                                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                                  Accept-Language: en-US
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Accept-Encoding: gzip, deflate
                                  Host: billinglines.com
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.349749143.204.15.3680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  TimestampkBytes transferredDirectionData
                                  Nov 19, 2020 09:50:16.824542046 CET4785OUTGET /images/EuNoqB8rz283d_2F7/B2kFZAZsTPTP/AjxLGzItOQW/LGcQAVabLTNFrn/ibQqX2QKAtaqH2QpDHFdT/6FHFM3jb_2BEx6vj/K0T2UpF9ftSsAhC/WBke3cKFZQASphRr9z/wDAeGeXXF/ciy8TXpgvP0d/PQ9l29nE/m.avi HTTP/1.1
                                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                                  Accept-Language: en-US
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Accept-Encoding: gzip, deflate
                                  Host: ocsp.sca1b.amazontrust.com
                                  Connection: Keep-Alive
                                  Nov 19, 2020 09:50:16.964099884 CET4786INHTTP/1.1 200 OK
                                  Content-Type: application/ocsp-response
                                  Content-Length: 5
                                  Connection: keep-alive
                                  Accept-Ranges: bytes
                                  Cache-Control: public, max-age=300
                                  Date: Thu, 19 Nov 2020 08:50:16 GMT
                                  ETag: "5f4aa52a-5"
                                  Last-Modified: Sat, 29 Aug 2020 18:57:46 GMT
                                  Server: nginx
                                  X-Cache: Miss from cloudfront
                                  Via: 1.1 4c7862a49cd83c3f3532e46f49fb0cf7.cloudfront.net (CloudFront)
                                  X-Amz-Cf-Pop: MXP64-C1
                                  X-Amz-Cf-Id: arHuPT9a5ymvPE90FZzvlkeJmvW8l5Tjc8J5fn6Y3cxFhzDEV0lLrw==
                                  Data Raw: 30 03 0a 01 06
                                  Data Ascii: 0


                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Start time:09:48:15
                                  Start date:19/11/2020
                                  Path:C:\Windows\System32\loaddll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
                                  Imagebase:0x1220000
                                  File size:119808 bytes
                                  MD5 hash:62442CB29236B024E992A556DA72B97A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, Author: Joe Security
                                  Reputation:moderate

                                  General

                                  Start time:09:48:23
                                  Start date:19/11/2020
                                  Path:C:\Program Files\internet explorer\iexplore.exe
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                  Imagebase:0x7ff7dfb60000
                                  File size:823560 bytes
                                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:48:24
                                  Start date:19/11/2020
                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2
                                  Imagebase:0x2e0000
                                  File size:822536 bytes
                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:49:21
                                  Start date:19/11/2020
                                  Path:C:\Program Files\internet explorer\iexplore.exe
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                  Imagebase:0x7ff7dfb60000
                                  File size:823560 bytes
                                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:49:21
                                  Start date:19/11/2020
                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
                                  Imagebase:0x2e0000
                                  File size:822536 bytes
                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:49:44
                                  Start date:19/11/2020
                                  Path:C:\Program Files\internet explorer\iexplore.exe
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                  Imagebase:0x7ff7dfb60000
                                  File size:823560 bytes
                                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:49:44
                                  Start date:19/11/2020
                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
                                  Imagebase:0x2e0000
                                  File size:822536 bytes
                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:50:15
                                  Start date:19/11/2020
                                  Path:C:\Program Files\internet explorer\iexplore.exe
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                  Imagebase:0x7ff7dfb60000
                                  File size:823560 bytes
                                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:09:50:15
                                  Start date:19/11/2020
                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
                                  Imagebase:0x2e0000
                                  File size:822536 bytes
                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Disassembly

                                  Code Analysis

                                  Reset < >