Loading ...

Play interactive tourEdit tour

Windows Analysis Report PiSUfsy.exe

Overview

General Information

Sample Name:PiSUfsy.exe
Analysis ID:481080
MD5:ddb8cc4e8e2ec81904a1407409d2e868
SHA1:5f594f30bcf6b00213916e5aa987db98d764fbb2
SHA256:e0f81b847c0c02e0352607f852bdfb651925c35655ebf0be9b4fd2ef034661f3
Tags:exeFORTHPROPERTYLTDUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • PiSUfsy.exe (PID: 6456 cmdline: 'C:\Users\user\Desktop\PiSUfsy.exe' MD5: DDB8CC4E8E2EC81904A1407409D2E868)
  • iexplore.exe (PID: 3040 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3416 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3040 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6724 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6092 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6724 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.PiSUfsy.exe.519d7c.0.raw.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security
              0.2.PiSUfsy.exe.1000000.0.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: PiSUfsy.exeVirustotal: Detection: 20%Perma Link
                Multi AV Scanner detection for domain / URLShow sources
                Source: haverit.xyzVirustotal: Detection: 5%Perma Link
                Machine Learning detection for sampleShow sources
                Source: PiSUfsy.exeJoe Sandbox ML: detected
                Source: 0.2.PiSUfsy.exe.1000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: 0.3.PiSUfsy.exe.519d7c.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: PiSUfsy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: PiSUfsy.exe

                Networking:

                barindex
                Performs DNS queries to domains with low reputationShow sources
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\PiSUfsy.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\PiSUfsy.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Server failure (2)
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Name error (3)
                Source: msapplication.xml0.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: PiSUfsy.exe, 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
                Source: PiSUfsy.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: PiSUfsy.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: PiSUfsy.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: PiSUfsy.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: PiSUfsy.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: PiSUfsy.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: PiSUfsy.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: PiSUfsy.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: PiSUfsy.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: PiSUfsy.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: PiSUfsy.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: PiSUfsy.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: PiSUfsy.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: PiSUfsy.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: msapplication.xml.9.drString found in binary or memory: http://www.amazon.com/
                Source: PiSUfsy.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: msapplication.xml1.9.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.9.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.9.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.9.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.9.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.9.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.9.drString found in binary or memory: http://www.youtube.com/
                Source: PiSUfsy.exeString found in binary or memory: https://haverit.xyz
                Source: ~DF0F34E919A9CE89F7.TMP.25.drString found in binary or memory: https://haverit.xyz/index.htm
                Source: {435219D2-125B-11EC-90E4-ECF4BB862DED}.dat.9.drString found in binary or memory: https://haverit.xyz/index.htmRoot
                Source: {435219D2-125B-11EC-90E4-ECF4BB862DED}.dat.9.drString found in binary or memory: https://haverit.xyz/index.htmdex.htm
                Source: PiSUfsy.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: PiSUfsy.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: haverit.xyz

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: PiSUfsy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: PiSUfsy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: PiSUfsy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: PiSUfsy.exeStatic PE information: invalid certificate
                Source: PiSUfsy.exeVirustotal: Detection: 20%
                Source: PiSUfsy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PiSUfsy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PiSUfsy.exe 'C:\Users\user\Desktop\PiSUfsy.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3040 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6724 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3040 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6724 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Users\user\Desktop\PiSUfsy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\PiSUfsy.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFEEC0DD00867AC61A.TMPJump to behavior
                Source: classification engineClassification label: mal96.troj.evad.winEXE@7/29@8/0
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PiSUfsy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PiSUfsy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: PiSUfsy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: PiSUfsy.exe
                Source: PiSUfsy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: PiSUfsy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: PiSUfsy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: PiSUfsy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: PiSUfsy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\PiSUfsy.exeUnpacked PE file: 0.2.PiSUfsy.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                Source: PiSUfsy.exeStatic PE information: real checksum: 0xe5347 should be: 0xe1814
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: C:\Users\user\Desktop\PiSUfsy.exeCode function: 0_3_035D198A push ds; retf 0_3_035D1991
                Source: initial sampleStatic PE information: section name: .text entropy: 6.85141881321

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR
                Source: C:\Users\user\Desktop\PiSUfsy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\PiSUfsy.exe TID: 6528Thread sleep time: -30000s >= -30000sJump to behavior
                Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmpBinary or memory string: Program Manager
                Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\PiSUfsy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\PiSUfsy.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 481080 Sample: PiSUfsy.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 96 25 Multi AV Scanner detection for domain / URL 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Ursnif 2->29 31 3 other signatures 2->31 6 PiSUfsy.exe 2->6         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 2 83 2->12         started        process3 dnsIp4 19 haverit.xyz 6->19 33 Detected unpacking (changes PE section rights) 6->33 35 Performs DNS queries to domains with low reputation 6->35 37 Writes or reads registry keys via WMI 6->37 39 Writes registry values via WMI 6->39 14 iexplore.exe 29 10->14         started        17 iexplore.exe 30 12->17         started        signatures5 process6 dnsIp7 21 haverit.xyz 14->21 23 haverit.xyz 17->23

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PiSUfsy.exe21%VirustotalBrowse
                PiSUfsy.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.PiSUfsy.exe.1000000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                0.3.PiSUfsy.exe.519d7c.0.unpack100%AviraTR/Patched.Ren.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                haverit.xyz6%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://haverit.xyz/index.htm4%VirustotalBrowse
                https://haverit.xyz/index.htm0%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://haverit.xyz/index.htmdex.htm0%Avira URL Cloudsafe
                http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;0%Avira URL Cloudsafe
                http://www.wikipedia.com/0%URL Reputationsafe
                https://haverit.xyz0%Avira URL Cloudsafe
                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                https://haverit.xyz/index.htmRoot0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                haverit.xyz
                unknown
                unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://haverit.xyz/index.htm~DF0F34E919A9CE89F7.TMP.25.drtrue
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://www.nytimes.com/msapplication.xml3.9.drfalse
                  high
                  https://sectigo.com/CPS0PiSUfsy.exefalse
                  • URL Reputation: safe
                  unknown
                  http://ocsp.sectigo.com0PiSUfsy.exefalse
                  • URL Reputation: safe
                  unknown
                  https://haverit.xyz/index.htmdex.htm{435219D2-125B-11EC-90E4-ECF4BB862DED}.dat.9.drtrue
                  • Avira URL Cloud: safe
                  unknown
                  http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;PiSUfsy.exe, 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://www.youtube.com/msapplication.xml7.9.drfalse
                    high
                    http://www.wikipedia.com/msapplication.xml6.9.drfalse
                    • URL Reputation: safe
                    unknown
                    http://www.amazon.com/msapplication.xml.9.drfalse
                      high
                      https://haverit.xyzPiSUfsy.exetrue
                      • Avira URL Cloud: safe
                      unknown
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sPiSUfsy.exefalse
                      • URL Reputation: safe
                      unknown
                      http://www.live.com/msapplication.xml2.9.drfalse
                        high
                        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#PiSUfsy.exefalse
                        • URL Reputation: safe
                        unknown
                        http://www.reddit.com/msapplication.xml4.9.drfalse
                          high
                          http://www.twitter.com/msapplication.xml5.9.drfalse
                            high
                            https://haverit.xyz/index.htmRoot{435219D2-125B-11EC-90E4-ECF4BB862DED}.dat.9.drtrue
                            • Avira URL Cloud: safe
                            unknown
                            http://www.google.com/msapplication.xml1.9.drfalse
                              high

                              Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox Version:33.0.0 White Diamond
                              Analysis ID:481080
                              Start date:10.09.2021
                              Start time:10:18:13
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 6m 11s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:PiSUfsy.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:30
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal96.troj.evad.winEXE@7/29@8/0
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 23.203.80.193, 20.50.102.62, 40.112.88.60, 173.222.108.226, 173.222.108.210, 20.199.120.151, 80.67.82.235, 80.67.82.211, 152.199.19.161, 20.199.120.85, 20.82.210.154, 20.199.120.182
                              • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, go.microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:19:46API Interceptor2x Sleep call for process: PiSUfsy.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{435219D0-125B-11EC-90E4-ECF4BB862DED}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):29272
                              Entropy (8bit):1.767910827582747
                              Encrypted:false
                              SSDEEP:96:rcZrZTl2TQWTLMtTLDfTL+7FMTLSzT8IB:rcZrZTl2TQWTYtT3fTS7FMT+zTJB
                              MD5:5549613A0C3CFA300203D29B4DA079C4
                              SHA1:C7BA0471338AFE8208E3A70D6C4A726542B08C88
                              SHA-256:058D9040EA75C9689E469353DFFB464D8F099632F034F35388487EC162D9A365
                              SHA-512:D964FE88EA0B338272504B84F7C75C10C2ECDE21F482A694A203EEFCB946084899E79C45D751CD3A461E3CA0CC3BD608B62311FF305EC59692C2A22C7E8814A8
                              Malicious:false
                              Reputation:low
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6953F0C7-125B-11EC-90E4-ECF4BB862DED}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):29272
                              Entropy (8bit):1.7716211254875913
                              Encrypted:false
                              SSDEEP:48:IwsGcprZGwpL2G/ap8OGIpckHGvnZpvkfTRGolqp9kfHTQGo4RpmkxFHbGWvlDGF:rwZTZ02eWk4tkGfkvRMk+fhpB
                              MD5:8B850AF47A1244F545B93C681F4CD253
                              SHA1:642DDAEAB6F619FB6F1EFAE0466F1B2A6E60C39B
                              SHA-256:16F648C8C6903C9227C3A178884E22F7322C5620E2A4DB0F43D8BCCE62D9E2BE
                              SHA-512:F3900E9959AEC3FBEFF9630F1A2EA5224E6CDEF681E345B0221E388D0D52DB8EA682B8B6C3A842E90959EE7E08363611EEB28895EFA3A76634719D27A3CC8113
                              Malicious:false
                              Reputation:low
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{435219D2-125B-11EC-90E4-ECF4BB862DED}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):26240
                              Entropy (8bit):1.653277117903397
                              Encrypted:false
                              SSDEEP:48:IwBGcprwGwpa8G4pQwGrapbS9GQpBSGHHpcjTGUp8ZUGzYpmMRvGopOCyDZbGqXT:r3ZYQc6OBSHjp29WmMqkrVSA
                              MD5:C1EDC282B7A921C386333D54A46398E9
                              SHA1:03384AA0B051C2ACDC50C017BFDA53A86C72C853
                              SHA-256:C32C0F328992520DEB9EF5EA7878F089CD33D32493C73A4333A2C26B0A9B1282
                              SHA-512:483C64003A05B6AB77B6C9171F82B82AF38AC959D789941B51EB39013E4ACAD76996BEFEEE6B94C9EF8F564AA2EB90E726634706FAA6B73596A808525E7D741E
                              Malicious:false
                              Reputation:low
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6953F0C9-125B-11EC-90E4-ECF4BB862DED}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):26240
                              Entropy (8bit):1.6552452588590398
                              Encrypted:false
                              SSDEEP:48:IwFGGcprfNGwpaCGG4pQ4UGrapbS2GQpBOGHHpcMcTGUp8yGzYpmG3GopOQyDOBl:rUZvQT6RBSOjd2JWOMykWtVQ3A
                              MD5:A5C53BAC5AE42F54F85199F3BB95F93B
                              SHA1:1C6A24BFF7EEBB0F4B8DC962C3F7D4363A44411C
                              SHA-256:1BA8F54AE85DFCE6FFAC476163993B9A13511D7A22DBE8DC6B13E286FC6AAB17
                              SHA-512:1004E172D6FDD453F4D8AE0816C7BFBA11F4BB6BEEC6748CB11917FC1B18A4D96B7D5A14028393945D01B713D239ED73F94D470F7EF18BC3E2893432969E2CAB
                              Malicious:false
                              Reputation:low
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):656
                              Entropy (8bit):5.104721476385179
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxOEWenWimI002EtM3MHdNMNxOEWenWimI00ObVbkEtMb:2d6NxOESZHKd6NxOESZ76b
                              MD5:9409A50D4C91701ABDBACBE17E214EE2
                              SHA1:6C8858E4A0A0775D72D0B80CDC59BCAE4D0F16F6
                              SHA-256:79D278F1F8326FE65B250508E9078FE171F0D1459FDAD28CE5E5350EA29D1719
                              SHA-512:36245447F8F6745366CCC11C809581BF5202DA8F28842E9273A20F13B0AE7ECFC8B88E05A9C05977BF98B553119798AF03C62E735170F5FF326DFFEACE688EAC
                              Malicious:false
                              Reputation:low
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):653
                              Entropy (8bit):5.084052421273924
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxe2kvAitAMnWimI002EtM3MHdNMNxe2kvAitAMnWimI00Obkak6EtMb:2d6NxrWSZHKd6NxrWSZ7Aa7b
                              MD5:81FD5C3557106C46A0CC8C42B0C1902D
                              SHA1:104F0F8AB1192BD3423ABD9FBEC8494A6E75FBE3
                              SHA-256:6AA501CD163232CD1C562610B588E052B20D5B726BFB6A4798201E739DF08815
                              SHA-512:3D13374A37E91BDA48F046B459AE23DE18423A13C0FFCC9F3D2AC2530F62E6F11581C3354FB3E3FFD6B546AF205DE75F7C0803B72E3125E254E567031A24B60C
                              Malicious:false
                              Reputation:low
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):662
                              Entropy (8bit):5.1214194144054686
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxvLWenWimI002EtM3MHdNMNxvLWenWimI00ObmZEtMb:2d6NxvFSZHKd6NxvFSZ7mb
                              MD5:DD56A643D27C13BB73EA7D75D8FABDDE
                              SHA1:D723080970C1DE2872EE349248D0F6CBA78EAE03
                              SHA-256:BFC5C9EABB3F47EC665CD4744DDB44998F0386B8241E45C933E57FD6B3151380
                              SHA-512:F6DD3A7D3B27817FAAE45BFA5EADBDEAEBF81E5C9E910434C0932EF9FD99999A79BBAD92DD2EF1500F94F0EFEC7BA3205C82643DA0CBE0BF6BFED22C45B4B025
                              Malicious:false
                              Reputation:low
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):647
                              Entropy (8bit):5.079190891058834
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxivAitAMnWimI002EtM3MHdNMNxivAitAMnWimI00Obd5EtMb:2d6Nx0SZHKd6Nx0SZ7Jjb
                              MD5:BC7F8B4F5EF4A6CF4B0E7E28C8B1FF59
                              SHA1:98B0415ECA3054C83A31B759033C110102CBC877
                              SHA-256:23F95444558A03C668F702CFE9F9FD951FFAE3C9BE938BF948E4F0C609F85529
                              SHA-512:B72B516F5312F64C90CB54D7C635E596C60C9165468ABF3EDCC1C4B969C9334670D63CC691DAC8F9821DD8BC3149DF7378ECF5AC655A2CC625D32E0006F9EB15
                              Malicious:false
                              Reputation:low
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):656
                              Entropy (8bit):5.135821975934053
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxhGwWenWimI002EtM3MHdNMNxhGwWenWimI00Ob8K075EtMb:2d6NxQ4SZHKd6NxQ4SZ7YKajb
                              MD5:26E707803EDED22B1A2FD51E9754EC6B
                              SHA1:A7BB0552828F873F9AD22759C3B47BCB4B75B93E
                              SHA-256:14B1BB355F26D4876F60CE14058834CE7289B4EB6E504977CA69BFA8D5F664DF
                              SHA-512:FC34CFFCB7708B4A6B730D1446C700FCB88A6574753410AD4FAFE4DDB79EE509D82EFC97404855A1BFCB6ED6790664976801D0B540FE96AC63B3729DB5A30112
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):653
                              Entropy (8bit):5.103455098848017
                              Encrypted:false
                              SSDEEP:12:TMHdNMNx0nWenWimI002EtM3MHdNMNx0nWenWimI00ObxEtMb:2d6Nx0JSZHKd6Nx0JSZ7nb
                              MD5:F25F70EF84320440B6F92AC7C5297D0F
                              SHA1:87FF658420D7D11AC45A6AAF2407E2A244452160
                              SHA-256:28B548D59BCEA71F19EAC4C0B206845BD2BDAAF95BF5FDD74B831D0762BDCB93
                              SHA-512:19D436C6AC3CB5FFFF649165783DEBE5D5E86EE2259BAFF5B702E4D3C7160435CC5CAC2F95827E679C03BBEC2015E06F3B47834784B0E2817D871670B3DB48ED
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):656
                              Entropy (8bit):5.145145177655876
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxxWenWimI002EtM3MHdNMNxxWenWimI00Ob6Kq5EtMb:2d6NxjSZHKd6NxjSZ7ob
                              MD5:80AE373496EAB7A58EBAD3BD148C97EF
                              SHA1:DE597241F07C4F89C58A0DD7F192BF39D3CE6CF4
                              SHA-256:B3B01B3339D95CCEAA6F122CEA33493A4381BC005401C6D4EE83FFD11F285FD7
                              SHA-512:DAE8C2543638C318F4EB8D6BA90E75A574E605A6474084FDA6AA01EB74BAF55E63E96274EC6EF69043F200DD3B55E1D98AE0CF91B827B79C099CCB2A70DDDB11
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):659
                              Entropy (8bit):5.082370786840105
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxcvAitAMnWimI002EtM3MHdNMNxcvAitAMnWimI00ObVEtMb:2d6NxeSZHKd6NxeSZ7Db
                              MD5:64EE23798088274C6AFBC414B0ECFB52
                              SHA1:F7D6452F5A406A47D920A85BAA968B7EDBE8C207
                              SHA-256:3597B6E33C19882D5B335DAFF3E02E4196228056C093EBA8A44AE95D2C6F3A11
                              SHA-512:F28CBB660186E0E3E6B0EF1CE0864CCB69F4017FCF91FA32AA88F2ABF4E0AFE49A2287EB5203AA12DE89FBACF5710016755E1E8286B58294235764E89DFE25EE
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                              Category:dropped
                              Size (bytes):653
                              Entropy (8bit):5.065147867190279
                              Encrypted:false
                              SSDEEP:12:TMHdNMNxfnvAitAMnWimI002EtM3MHdNMNxfnvAitAMnWimI00Obe5EtMb:2d6NxbSZHKd6NxbSZ7ijb
                              MD5:4303CED0A39C69A6E7FF17C386C1EC1F
                              SHA1:EFE3A66D822E915DDDE5B608AC36266D42D4C35F
                              SHA-256:422711BDE9FB834C5E26C9C884E7630AFD843075D612B47B17F8E0570CB36821
                              SHA-512:6F04D9E12209471F2FB606CDC29D306290842F6D900AD0F71347AC940CA993F3C2F4CD536291B63BBF68391B0AD340787F0D64A154D0BACB86BF6CCC3507FF21
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):4.869554560514657
                              Encrypted:false
                              SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                              MD5:DFEABDE84792228093A5A270352395B6
                              SHA1:E41258C9576721025926326F76063C2305586F76
                              SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                              SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                              Malicious:false
                              Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2997
                              Entropy (8bit):4.4885437940628465
                              Encrypted:false
                              SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                              MD5:2DC61EB461DA1436F5D22BCE51425660
                              SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                              SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                              SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                              Malicious:false
                              Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4720
                              Entropy (8bit):5.164796203267696
                              Encrypted:false
                              SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                              MD5:D65EC06F21C379C87040B83CC1ABAC6B
                              SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                              SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                              SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                              Malicious:false
                              Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                              Category:dropped
                              Size (bytes):748
                              Entropy (8bit):7.249606135668305
                              Encrypted:false
                              SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                              MD5:C4F558C4C8B56858F15C09037CD6625A
                              SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                              SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                              SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                              Malicious:false
                              Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):4.869554560514657
                              Encrypted:false
                              SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                              MD5:DFEABDE84792228093A5A270352395B6
                              SHA1:E41258C9576721025926326F76063C2305586F76
                              SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                              SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                              Malicious:false
                              Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4720
                              Entropy (8bit):5.164796203267696
                              Encrypted:false
                              SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                              MD5:D65EC06F21C379C87040B83CC1ABAC6B
                              SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                              SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                              SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                              Malicious:false
                              Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12105
                              Entropy (8bit):5.451485481468043
                              Encrypted:false
                              SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                              MD5:9234071287E637F85D721463C488704C
                              SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                              SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                              SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                              Malicious:false
                              Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2997
                              Entropy (8bit):4.4885437940628465
                              Encrypted:false
                              SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                              MD5:2DC61EB461DA1436F5D22BCE51425660
                              SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                              SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                              SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                              Malicious:false
                              Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                              Category:dropped
                              Size (bytes):748
                              Entropy (8bit):7.249606135668305
                              Encrypted:false
                              SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                              MD5:C4F558C4C8B56858F15C09037CD6625A
                              SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                              SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                              SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                              Malicious:false
                              Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12105
                              Entropy (8bit):5.451485481468043
                              Encrypted:false
                              SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                              MD5:9234071287E637F85D721463C488704C
                              SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                              SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                              SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                              Malicious:false
                              Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                              C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):89
                              Entropy (8bit):4.350647094482033
                              Encrypted:false
                              SSDEEP:3:oVXUpOVfWW4ER98JOGXnEpOVfWWF7n:o9UpO1WW449qEpO1WWl
                              MD5:C5C6E32E59C52850C49324B2BD91A96F
                              SHA1:4A11EA1D270CFC0A36AEAA1871E2500B122FEC2A
                              SHA-256:B0B23261B5289A13A255842C07BCA0A50B15243B022B892E41ADCAF761CFF1F3
                              SHA-512:24CEF1DD62633606C70F73D258E82D99069256EEC57FE5D6CAFEB73BA1D3363F77170CA440E775A64BF797DD250923F0044A8A3DA8165FD8022EBAFF639230A0
                              Malicious:false
                              Preview: [2021/09/10 10:20:38.186] Latest deploy version: ..[2021/09/10 10:20:38.186] 11.211.2 ..
                              C:\Users\user\AppData\Local\Temp\~DF052200E5A2FBE4F5.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38737
                              Entropy (8bit):0.36804573270497437
                              Encrypted:false
                              SSDEEP:48:kBqoxKAuvScS+9DhAMIMwCyDZCyDbCyDU:kBqoxKAuvScS+9DhAjLjxi
                              MD5:08FB496F01888D742C59B87B3AC4359D
                              SHA1:049BC129C56E718470053BB2B18149BE8644DE5C
                              SHA-256:227975D6D993CB96526FD5D48A2645B65E2BC0CD4A86F0111AF7BB55E7364CB7
                              SHA-512:B8738D078597AA8F233064E8F4C601DAA51CC0434FF283374A159197C2BE6752AB1C5E026E850BC4B3CA815E41CD4DEFB748640D46E642CE1CEA166545A39A7B
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DF0F34E919A9CE89F7.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38737
                              Entropy (8bit):0.37044060981047916
                              Encrypted:false
                              SSDEEP:48:kBqoxKAuvScS+357yGIGwQyDZQyDbQyDU:kBqoxKAuvScS+357yZBRDc
                              MD5:1E84DB848F8CDC756E7E5FFB630E5782
                              SHA1:5CA5EC0122405901B7B6805BAA034EDCDF85CB47
                              SHA-256:52CA08644795E6EAC4FC68A499CC324BA358C3595298D8E57CBD18CC25643345
                              SHA-512:0E4EDAE89AF93F80EB7CAE4EEA7E2BB3288DE0A00D0492B623C1478596DBE2240B18930FB7133EF1543FA9E832BC3119999BA33A0202E0027D0661C52933FAC8
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DF962424A3C5B5AD0F.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12933
                              Entropy (8bit):0.4106597412749696
                              Encrypted:false
                              SSDEEP:24:c9lLh9lLh9lIn9lIn9lojF9lop9lWE/Nxe:kBqoIysE/Nxe
                              MD5:B71E1B615B91A86C2840ED86D93ABC67
                              SHA1:356C94B056C072F9328E1422ED1A69BE464B4BF8
                              SHA-256:67D716555E0E232BEDF6E6604AC1D3B26A8847E48D3FED82A85A161F80890BF5
                              SHA-512:4EF507A7D3EA9057A1E666E158F1D25F00E2798EFB66B586100B780D098702C5D1E290DF21B2BD9EA5E0FBAAB855066097CFD9D27AB52B856D3A10FC89857AEB
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DFEEC0DD00867AC61A.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12933
                              Entropy (8bit):0.410127935772876
                              Encrypted:false
                              SSDEEP:24:c9lLh9lLh9lIn9lIn9loTaF9loT29lWTrwU:kBqoIThTnTrwU
                              MD5:D3B988EE3DD365B1C1C32E68D2EFBB32
                              SHA1:7D0C72D608DB49C54CAB8518D51D50E84A81AEB5
                              SHA-256:0ED6CFB0C782CBA9BEF9518F1DF08B7A33FDD7F7D24FB5CDA37F120860C1ACF3
                              SHA-512:B3764DD0DAA971A39D3C101402493B09A94B9CD2BCE53B99FF8C4DBBF64DAED5394238DA63C34A8BD9931DDE8B4A7DE058EEFB42945211399280D056EC55E597
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.614358183794132
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:PiSUfsy.exe
                              File size:901960
                              MD5:ddb8cc4e8e2ec81904a1407409d2e868
                              SHA1:5f594f30bcf6b00213916e5aa987db98d764fbb2
                              SHA256:e0f81b847c0c02e0352607f852bdfb651925c35655ebf0be9b4fd2ef034661f3
                              SHA512:70e1ff1b5aa7a5ff7408f4520adece23fbb9df4f3ac9d5aded9baad30fe485c47a2f8cce6b2d500ab6705a18ce20f90c193092c4f943053c67c1cff8b51a5738
                              SSDEEP:24576:X9PsA9vHAYobFGQdRwylSk61LXXhtxvZPmtk1/GqgLG9:oYRJk61bRrZPmWGG9
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I................#3......#6......#7...............A......#5......{7......#+.1....#1......#4.....Rich...........................

                              File Icon

                              Icon Hash:f0b0e8e4e4e8b2dc

                              Static PE Info

                              General

                              Entrypoint:0x1005725
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x1000000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                              Time Stamp:0x55E85856 [Thu Sep 3 14:25:26 2015 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:6e09f5ea9222053b840f418fc7379964

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                              Signature Validation Error:No signature was present in the subject
                              Error Number:-2146762496
                              Not Before, Not After
                              • 4/12/2021 5:00:00 PM 4/13/2022 4:59:59 PM
                              Subject Chain
                              • CN=FORTH PROPERTY LTD, O=FORTH PROPERTY LTD, L=Edinburgh, C=GB
                              Version:3
                              Thumbprint MD5:8AB6A86211EE700AA961C3292ADB312D
                              Thumbprint SHA-1:A533DFA7E6AED2A9FFBE41FCEC5A8927A6EAFBBB
                              Thumbprint SHA-256:9E0611728595A506CC2A55486FDD88ECA0971EF0B08F74CB3B3B6F5F6F3C7E27
                              Serial:239664C12BAEB5A6D787912888051392

                              Entrypoint Preview

                              Instruction
                              call 00007F139498FC80h
                              jmp 00007F1394988B95h
                              push 00000014h
                              push 0108A9F8h
                              call 00007F139498DB6Ah
                              call 00007F139498936Bh
                              movzx esi, ax
                              push 00000002h
                              call 00007F139498FC13h
                              pop ecx
                              mov eax, 00005A4Dh
                              cmp word ptr [01000000h], ax
                              je 00007F1394988B96h
                              xor ebx, ebx
                              jmp 00007F1394988BC5h
                              mov eax, dword ptr [0100003Ch]
                              cmp dword ptr [eax+01000000h], 00004550h
                              jne 00007F1394988B7Dh
                              mov ecx, 0000010Bh
                              cmp word ptr [eax+01000018h], cx
                              jne 00007F1394988B6Fh
                              xor ebx, ebx
                              cmp dword ptr [eax+01000074h], 0Eh
                              jbe 00007F1394988B9Bh
                              cmp dword ptr [eax+010000E8h], ebx
                              setne bl
                              mov dword ptr [ebp-1Ch], ebx
                              call 00007F139498DABDh
                              test eax, eax
                              jne 00007F1394988B9Ah
                              push 0000001Ch
                              call 00007F1394988CB7h
                              pop ecx
                              call 00007F139498EF7Bh
                              test eax, eax
                              jne 00007F1394988B9Ah
                              push 00000010h
                              call 00007F1394988CA6h
                              pop ecx
                              call 00007F139498FC8Ch
                              and dword ptr [ebp-04h], 00000000h
                              call 00007F139498F577h
                              test eax, eax
                              jns 00007F1394988B9Ah
                              push 0000001Bh
                              call 00007F1394988C8Ch
                              pop ecx
                              call dword ptr [0106A19Ch]
                              mov dword ptr [010AC3A8h], eax
                              call 00007F139498FCA7h
                              mov dword ptr [01097A94h], eax
                              call 00007F139498F864h
                              test eax, eax
                              jns 00007F1394988B9Ah

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8ccf80x8c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xad0000x41028.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0xda0000x2348.rsrc
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xef0000x4d50.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6a3b00x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x879400x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x6a0000x328.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x681b90x68200False0.623954269208data6.85141881321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rdata0x6a0000x23f8a0x24000False0.64170328776data6.36645327435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x8e0000x1e3ac0x7a00False0.527792008197data6.51367686644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0xad0000x410280x41200False0.240744211852data5.36312234805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xef0000x4d500x4e00False0.730168269231data6.65913941378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0xad4340x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                              RT_ICON0xbdc5c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16580607, next used block 4294917888EnglishUnited States
                              RT_ICON0xc1e840x25a8dataEnglishUnited States
                              RT_ICON0xc442c0x10a8dataEnglishUnited States
                              RT_ICON0xc54d40x988dataEnglishUnited States
                              RT_ICON0xc5e5c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                              RT_ICON0xc62c40x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                              RT_ICON0xd6aec0x94a8dataEnglishUnited States
                              RT_ICON0xdff940x5488dataEnglishUnited States
                              RT_ICON0xe541c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696EnglishUnited States
                              RT_ICON0xe96440x25a8dataEnglishUnited States
                              RT_ICON0xebbec0x10a8dataEnglishUnited States
                              RT_ICON0xecc940x988dataEnglishUnited States
                              RT_ICON0xed61c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                              RT_STRING0xeda840xbcdataEnglishUnited States
                              RT_STRING0xedb400x150dataEnglishUnited States
                              RT_GROUP_ICON0xedc900x76dataEnglishUnited States
                              RT_GROUP_ICON0xedd080x5adataEnglishUnited States
                              RT_VERSION0xedd640x2c4dataEnglishUnited States

                              Imports

                              DLLImport
                              KERNEL32.dllGetLastError, VirtualProtectEx, LoadLibraryA, OpenMutexA, SetConsoleOutputCP, DeviceIoControl, GetModuleFileNameA, CloseHandle, DeleteFileA, WriteConsoleW, SetStdHandle, GetStringTypeW, LoadLibraryW, WaitForMultipleObjectsEx, GetStartupInfoA, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, CreateProcessA, Sleep, GetTickCount, SetFilePointerEx, GetCurrentProcess, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, ReleaseSemaphore, SetProcessAffinityMask, VirtualProtect, VirtualFree, VirtualAlloc, GetVersionExW, GetModuleHandleA, FreeLibraryAndExitThread, FreeLibrary, GetThreadTimes, OutputDebugStringW, FatalAppExitA, SetConsoleCtrlHandler, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapSize, GetProcessHeap, GetModuleFileNameW, WriteFile, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, AreFileApisANSI, GetModuleHandleExW, ExitProcess, IsDebuggerPresent, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, WaitForSingleObjectEx, SetEvent, DuplicateHandle, WaitForSingleObject, GetCurrentThread, GetCurrentThreadId, GetExitCodeThread, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapAlloc, EncodePointer, DecodePointer, GetCommandLineA, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, CreateSemaphoreW, CreateThread, ExitThread, LoadLibraryExW, RaiseException, RtlUnwind, HeapFree, TryEnterCriticalSection, CreateTimerQueue, RtlCaptureStackBackTrace, CreateFileW
                              USER32.dllSetWindowTextA, CallNextHookEx, LoadBitmapA, GetClassInfoExA, EnumWindows, GetIconInfo, IsDialogMessageA, GetWindowLongA, CreateWindowExA, ReleaseDC, DefWindowProcA, CheckDlgButton, SendMessageA
                              ole32.dllOleUninitialize, CoUninitialize, CoSuspendClassObjects, OleSetContainedObject, StgCreateDocfile, OleInitialize, CoInitialize
                              COMCTL32.dllImageList_LoadImageA, PropertySheetA, CreatePropertySheetPageA
                              WINSPOOL.DRVDeletePortA, SetPrinterDataA, DeleteFormA, SetPortA, SetPrinterDataExA, AddMonitorA, ScheduleJob, AddPrinterConnectionA, ReadPrinter, AddPrinterDriverA, GetPrinterDataA, ResetPrinterA, PrinterMessageBoxA, DeletePrintProcessorA, GetPrinterDriverDirectoryA, OpenPrinterA, AddPortA, ConfigurePortA, GetPrinterDataExA, GetJobA, AddPrinterDriverExA, ClosePrinter, DeletePrinterDataExA, DeletePrinterConnectionA, DeletePrintProvidorA, StartPagePrinter, AbortPrinter, GetPrintProcessorDirectoryA, StartDocPrinterA, GetPrinterA, AddPrinterA, DeletePrinter, DeleteMonitorA, GetPrinterDriverA, AddFormA, DeletePrinterDriverA, AddPrintProcessorA, AddPrintProvidorA, SetFormA, GetFormA, DeletePrinterDataA, AddJobA, FlushPrinter, DeletePrinterDriverExA, SetJobA, FindClosePrinterChangeNotification, DeletePrinterKeyA
                              sfc.dllSfcIsFileProtected

                              Version Infos

                              DescriptionData
                              LegalCopyright(C) 2011 Helpwould Use Corporation. All rights reserved.
                              FileVersion14.1.55.63
                              CompanyNameHelpwould Use Corporation
                              ProductNameDeathice
                              ProductVersion14.1.55.63
                              FileDescriptionDeathice The Certain
                              Translation0x0409 0x04b0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Network Port Distribution

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 10, 2021 10:19:05.132442951 CEST6083153192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:05.161484003 CEST53608318.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:30.374675989 CEST6010053192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:30.421969891 CEST53601008.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:34.837275028 CEST5319553192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:34.869575024 CEST53531958.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:36.165678978 CEST5014153192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:36.204112053 CEST53501418.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:36.210340023 CEST5302353192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:36.245728016 CEST53530238.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:36.251956940 CEST4956353192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:36.281806946 CEST53495638.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:36.942980051 CEST5135253192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:36.968125105 CEST53513528.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:47.375231028 CEST5934953192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:47.404503107 CEST53593498.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:53.820420027 CEST5708453192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:53.861109018 CEST53570848.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:57.645234108 CEST5882353192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:57.698267937 CEST53588238.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:57.787600040 CEST5756853192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:57.825162888 CEST53575688.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:57.877547026 CEST5054053192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:57.905914068 CEST53505408.8.8.8192.168.2.3
                              Sep 10, 2021 10:19:58.493472099 CEST5436653192.168.2.38.8.8.8
                              Sep 10, 2021 10:19:58.518064976 CEST53543668.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:01.685537100 CEST5303453192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:01.711956978 CEST53530348.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:02.306881905 CEST5776253192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:02.342616081 CEST53577628.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:04.849231005 CEST5543553192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:04.883297920 CEST53554358.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:05.854645014 CEST5543553192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:05.891288996 CEST53554358.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:06.855720043 CEST5543553192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:06.883229971 CEST53554358.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:08.855616093 CEST5543553192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:08.880660057 CEST53554358.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:09.253700018 CEST5071353192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:09.284195900 CEST53507138.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:12.903430939 CEST5543553192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:12.933722973 CEST53554358.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:18.807650089 CEST5613253192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:18.843106985 CEST53561328.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:29.859675884 CEST5898753192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:29.895231009 CEST53589878.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:34.081785917 CEST5657953192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:34.125212908 CEST53565798.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:35.866754055 CEST6063353192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:35.903292894 CEST53606338.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:38.577629089 CEST6129253192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:38.610976934 CEST53612928.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:39.762187004 CEST6361953192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:39.799251080 CEST53636198.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:39.806381941 CEST6493853192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:39.841535091 CEST53649388.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:39.864919901 CEST6194653192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:39.892956018 CEST53619468.8.8.8192.168.2.3
                              Sep 10, 2021 10:20:43.477616072 CEST6491053192.168.2.38.8.8.8
                              Sep 10, 2021 10:20:43.516566038 CEST53649108.8.8.8192.168.2.3
                              Sep 10, 2021 10:21:03.289423943 CEST5212353192.168.2.38.8.8.8
                              Sep 10, 2021 10:21:03.326101065 CEST53521238.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Sep 10, 2021 10:19:36.165678978 CEST192.168.2.38.8.8.80xad9Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:36.210340023 CEST192.168.2.38.8.8.80xefe4Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:36.251956940 CEST192.168.2.38.8.8.80x3542Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:47.375231028 CEST192.168.2.38.8.8.80xefStandard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:57.877547026 CEST192.168.2.38.8.8.80x54aaStandard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:20:39.762187004 CEST192.168.2.38.8.8.80x523cStandard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:20:39.806381941 CEST192.168.2.38.8.8.80xbfefStandard query (0)haverit.xyzA (IP address)IN (0x0001)
                              Sep 10, 2021 10:20:39.864919901 CEST192.168.2.38.8.8.80x7c23Standard query (0)haverit.xyzA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Sep 10, 2021 10:19:36.204112053 CEST8.8.8.8192.168.2.30xad9Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:36.245728016 CEST8.8.8.8192.168.2.30xefe4Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:36.281806946 CEST8.8.8.8192.168.2.30x3542Server failure (2)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:47.404503107 CEST8.8.8.8192.168.2.30xefName error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:19:57.905914068 CEST8.8.8.8192.168.2.30x54aaName error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:20:39.799251080 CEST8.8.8.8192.168.2.30x523cName error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:20:39.841535091 CEST8.8.8.8192.168.2.30xbfefName error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                              Sep 10, 2021 10:20:39.892956018 CEST8.8.8.8192.168.2.30x7c23Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Start time:10:19:09
                              Start date:10/09/2021
                              Path:C:\Users\user\Desktop\PiSUfsy.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\PiSUfsy.exe'
                              Imagebase:0x1000000
                              File size:901960 bytes
                              MD5 hash:DDB8CC4E8E2EC81904A1407409D2E868
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, Author: Joe Security
                              Reputation:low

                              General

                              Start time:10:19:33
                              Start date:10/09/2021
                              Path:C:\Program Files\internet explorer\iexplore.exe
                              Wow64 process (32bit):false
                              Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                              Imagebase:0x7ff7ecf00000
                              File size:823560 bytes
                              MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:10:19:33
                              Start date:10/09/2021
                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3040 CREDAT:17410 /prefetch:2
                              Imagebase:0x350000
                              File size:822536 bytes
                              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:10:20:36
                              Start date:10/09/2021
                              Path:C:\Program Files\internet explorer\iexplore.exe
                              Wow64 process (32bit):false
                              Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                              Imagebase:0x7ff7ecf00000
                              File size:823560 bytes
                              MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:10:20:37
                              Start date:10/09/2021
                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6724 CREDAT:17410 /prefetch:2
                              Imagebase:0x350000
                              File size:822536 bytes
                              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Disassembly

                              Code Analysis

                              Reset < >