Loading ...

Play interactive tourEdit tour

Windows Analysis Report CGd7lq6RDL.dll

Overview

General Information

Sample Name:CGd7lq6RDL.dll (renamed file extension from dll to exe)
Analysis ID:481103
MD5:c7b71f03f190a5da3e4976f37194419f
SHA1:8e750d01e1a5edb2c320e1b0b703b5823f241587
SHA256:930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • CGd7lq6RDL.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\CGd7lq6RDL.exe' MD5: C7B71F03F190A5DA3E4976F37194419F)
  • iexplore.exe (PID: 6672 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6824 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5656 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6136 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security
              1.2.CGd7lq6RDL.exe.1000000.0.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Machine Learning detection for sampleShow sources
                Source: CGd7lq6RDL.exeJoe Sandbox ML: detected
                Source: 1.3.CGd7lq6RDL.exe.da9d7c.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.2.CGd7lq6RDL.exe.1000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: CGd7lq6RDL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: CGd7lq6RDL.exe

                Networking:

                barindex
                Performs DNS queries to domains with low reputationShow sources
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Name error (3)
                Source: msapplication.xml0.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: CGd7lq6RDL.exe, 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
                Source: CGd7lq6RDL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: msapplication.xml.9.drString found in binary or memory: http://www.amazon.com/
                Source: CGd7lq6RDL.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: msapplication.xml1.9.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.9.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.9.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.9.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.9.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.9.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.9.drString found in binary or memory: http://www.youtube.com/
                Source: CGd7lq6RDL.exeString found in binary or memory: https://haverit.xyz
                Source: ~DF849AFB3A04ECE3BF.TMP.9.drString found in binary or memory: https://haverit.xyz/index.htm
                Source: {E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.drString found in binary or memory: https://haverit.xyz/index.htmRoot
                Source: {E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.drString found in binary or memory: https://haverit.xyz/index.htmdex.htm
                Source: CGd7lq6RDL.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: CGd7lq6RDL.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: haverit.xyz

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: CGd7lq6RDL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: CGd7lq6RDL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: CGd7lq6RDL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: CGd7lq6RDL.exeStatic PE information: invalid certificate
                Source: CGd7lq6RDL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\CGd7lq6RDL.exe 'C:\Users\user\Desktop\CGd7lq6RDL.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0443E1A-1261-11EC-90E5-ECF4BB2D2496}.datJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9956526A696EBC76.TMPJump to behavior
                Source: classification engineClassification label: mal80.troj.evad.winEXE@7/29@8/1
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: CGd7lq6RDL.exe
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeUnpacked PE file: 1.2.CGd7lq6RDL.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                Source: CGd7lq6RDL.exeStatic PE information: real checksum: 0xe5cf6 should be: 0xdf042
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: initial sampleStatic PE information: section name: .text entropy: 6.85142771967

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exe TID: 5976Thread sleep time: -30000s >= -30000s
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 481103 Sample: CGd7lq6RDL.dll Startdate: 10/09/2021 Architecture: WINDOWS Score: 80 27 Yara detected Ursnif 2->27 29 Yara detected  Ursnif 2->29 31 Performs DNS queries to domains with low reputation 2->31 33 Machine Learning detection for sample 2->33 6 CGd7lq6RDL.exe 2->6         started        10 iexplore.exe 1 72 2->10         started        12 iexplore.exe 1 50 2->12         started        process3 dnsIp4 19 haverit.xyz 6->19 35 Detected unpacking (changes PE section rights) 6->35 37 Performs DNS queries to domains with low reputation 6->37 39 Writes or reads registry keys via WMI 6->39 41 Writes registry values via WMI 6->41 21 192.168.2.1 unknown unknown 10->21 14 iexplore.exe 29 10->14         started        17 iexplore.exe 29 12->17         started        signatures5 process6 dnsIp7 23 haverit.xyz 14->23 25 haverit.xyz 17->25

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                CGd7lq6RDL.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.3.CGd7lq6RDL.exe.da9d7c.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                1.2.CGd7lq6RDL.exe.1000000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://haverit.xyz/index.htm0%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://haverit.xyz/index.htmdex.htm0%Avira URL Cloudsafe
                http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;0%Avira URL Cloudsafe
                http://www.wikipedia.com/0%URL Reputationsafe
                https://haverit.xyz0%Avira URL Cloudsafe
                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                https://haverit.xyz/index.htmRoot0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                haverit.xyz
                unknown
                unknowntrue
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://haverit.xyz/index.htm~DF849AFB3A04ECE3BF.TMP.9.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.nytimes.com/msapplication.xml3.9.drfalse
                    high
                    https://sectigo.com/CPS0CGd7lq6RDL.exefalse
                    • URL Reputation: safe
                    unknown
                    http://ocsp.sectigo.com0CGd7lq6RDL.exefalse
                    • URL Reputation: safe
                    unknown
                    https://haverit.xyz/index.htmdex.htm{E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;CGd7lq6RDL.exe, 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.youtube.com/msapplication.xml7.9.drfalse
                      high
                      http://www.wikipedia.com/msapplication.xml6.9.drfalse
                      • URL Reputation: safe
                      unknown
                      http://www.amazon.com/msapplication.xml.9.drfalse
                        high
                        https://haverit.xyzCGd7lq6RDL.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sCGd7lq6RDL.exefalse
                        • URL Reputation: safe
                        unknown
                        http://www.live.com/msapplication.xml2.9.drfalse
                          high
                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#CGd7lq6RDL.exefalse
                          • URL Reputation: safe
                          unknown
                          http://www.reddit.com/msapplication.xml4.9.drfalse
                            high
                            http://www.twitter.com/msapplication.xml5.9.drfalse
                              high
                              https://haverit.xyz/index.htmRoot{E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.google.com/msapplication.xml1.9.drfalse
                                high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:481103
                                Start date:10.09.2021
                                Start time:11:05:32
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 6m 6s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:CGd7lq6RDL.dll (renamed file extension from dll to exe)
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal80.troj.evad.winEXE@7/29@8/1
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.203.80.193, 20.82.209.183, 20.54.110.249, 40.112.88.60, 152.199.19.161, 80.67.82.235, 80.67.82.211, 23.211.4.86
                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
                                • Execution Graph export aborted for target CGd7lq6RDL.exe, PID 6948 because there are no executed function
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/481103/sample/CGd7lq6RDL.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:07:06API Interceptor2x Sleep call for process: CGd7lq6RDL.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06650DBE-1262-11EC-90E5-ECF4BB2D2496}.dat
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:Microsoft Word Document
                                Category:dropped
                                Size (bytes):29272
                                Entropy (8bit):1.7678852739688395
                                Encrypted:false
                                SSDEEP:48:Iw7GcprqGwpL7G/ap8jGIpcHGvnZpvDHGoERqp9p1QGo4w01pmQGWEz41ZGWEBTK:rhZyZb2lW4twAf7zw01Mfs+IqcTA2PDB
                                MD5:91D74D68B43CCDAE94C1706D038C8A1A
                                SHA1:8227029E9BA7F0E28E4DCC141EB41BBA47EF138A
                                SHA-256:C866FCEBE96AF3868188B0AC5293E9AE25A2D08CDBAD0933AE71F2F37BCDF248
                                SHA-512:476AF38E28FDF7F43F0C947BDCA7FC6EBAF67788997749C0661B13DB2A77B76DDADA362A4BF3D52162A66E0A8093557C71C62DFBFDD04E10DF1EF3AD4BA6C662
                                Malicious:false
                                Reputation:low
                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0443E1A-1261-11EC-90E5-ECF4BB2D2496}.dat
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:Microsoft Word Document
                                Category:dropped
                                Size (bytes):29272
                                Entropy (8bit):1.7653086061397365
                                Encrypted:false
                                SSDEEP:48:IwcGcprlGwpLVG/ap8AGIpcnGvnZpvQ8Go7zRqp9TuQGo4/zrz1pm3GW7zznz1YK:rAZvZx2wWYtDAfyzrv1MBnWIeXThRkDB
                                MD5:0E5636275C441CD90C269D5C6EF99D80
                                SHA1:7F044DC2479A60F9AA3AC28957322EB0E1669E4D
                                SHA-256:A71C123B695592F824A3E57997E78CA48F243820109E60294A8170227E8BD53E
                                SHA-512:6586B3C502ED21B6D94A343D0FA42639E3C4EED575EE88BE945350D6D3641212C410522B4020194EFDF07A26538A5BF866FCA5EDF4FE16F3B6D90ACF216E49E0
                                Malicious:false
                                Reputation:low
                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{06650DC0-1262-11EC-90E5-ECF4BB2D2496}.dat
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:Microsoft Word Document
                                Category:dropped
                                Size (bytes):26240
                                Entropy (8bit):1.6570043927330005
                                Encrypted:false
                                SSDEEP:48:IwO0GcprAfGwpap0G4pQ/mGrapbS0GQpBKGHHpcWTGUp8OGzYpmxQGopO3yDpGq2:rZZKQq6ABSsjR2mWiMGkMVfA
                                MD5:7FA8DD3F4FB00A17B2C41F231E9A0E07
                                SHA1:BDCEB0136D5E5C3394AFF432B30CF297D9A32E33
                                SHA-256:15E70B605701F421505DFC949C2F0273418CB913CDF5A2376B3E44354A21FF56
                                SHA-512:9EC4CD119B8E109C9ED5DDE75F6E32B6CC4D7E82E9B2CECBC4557EE2F644F23B6F82B60DC7D01CE81568890338C9348091AE92B757C65E4FF596D4AD6BB827BC
                                Malicious:false
                                Reputation:low
                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:Microsoft Word Document
                                Category:dropped
                                Size (bytes):26240
                                Entropy (8bit):1.6575667429961585
                                Encrypted:false
                                SSDEEP:48:IwaGcprnkGwpawPG4pQ2dGrapbSiGQpBOGHHpcLTGUp81GzYpm5DGopOTyDLGqXZ:reZcQg6yBSqjd2lWLM/kWVoA
                                MD5:C81D77FE65821897EC6BDED4CDDB1153
                                SHA1:AB2D019A9C9E781534D1ED5358C5A46C801AF633
                                SHA-256:1DA4003576AAD9DECA1E93655F7FFF67F88E1EEFAB0FED707374B867A076029A
                                SHA-512:5A282CA90671A48F6BF08F62E3CE021CD9D4F652E0C2E81577283C1CE829345AA6FC582FDB115F8720A651D4203356C6B79AF8E30099A48E624BCDBBD3BC4064
                                Malicious:false
                                Reputation:low
                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):659
                                Entropy (8bit):5.0673004512682684
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxOE84l74lMnWimI002EtM3MHdNMNxOE84l74lMnWimI00OVbVbkEtMb:2d6NxOC0MSZHKd6NxOC0MSZ7V6b
                                MD5:720C1B6AE76C69288735B54685FF20F6
                                SHA1:116894018C32921C13272B3442A02A97B84FF73A
                                SHA-256:7EF6FCC9BC4CBBDFD4D6FFA5348FCC30187B5DFDC00DA7F7D7097196BBD227F9
                                SHA-512:325BC40B2D093D892362D6112F4C3A4BD46CA95DC34A184881B666124E33724FEB11E44CF9C84C28E9CE693E4F208A465A8ADA131CB6BC521D87B1125EB55240
                                Malicious:false
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):656
                                Entropy (8bit):5.088537313641816
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxe2kjBtBRnWimI002EtM3MHdNMNxe2kjBtBRnWimI00OVbkak6EtMb:2d6NxrIBtBRSZHKd6NxrIBtBRSZ7VAan
                                MD5:6E339B98FAEC4B8200B314938FD4C7F6
                                SHA1:B6572CF80F6BECD31325FA024BCF4029DBD3A5AA
                                SHA-256:C6104511DC96081C1E30333DC40B46D18CF336049BE480FDBE454A4CABA52BAF
                                SHA-512:90AA84F8B5CCFBC800C1CDC28E46BB12B1F586AD1B012122DBAAB9323EF17A5AA6D9B5E6F20491F302D577565507EAF2A5BC67D81BAF320EB8ED2339F22BD409
                                Malicious:false
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):665
                                Entropy (8bit):5.086871044550789
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxvL84l74lMnWimI002EtM3MHdNMNxvL84l74lMnWimI00OVbmZEtMb:2d6Nxv/0MSZHKd6Nxv/0MSZ7Vmb
                                MD5:9F1828F27A4F7BED74A2D84A6130EDB4
                                SHA1:B312E021BC2C22E7E4B8A8E641C97A488C18261D
                                SHA-256:32E1858AEB47481FDF276C220FB0B9B4C94DEDED69F767F180A17C579437A805
                                SHA-512:6FF87F1A06F870FB0B7E752B790B6314FB742A637689A77523A335054694EFDD56EDBA543E848BF1FAFD10FAA28C5BA18959E68781262AAA02B03A76EC975F6A
                                Malicious:false
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):650
                                Entropy (8bit):5.075595889238291
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxijBtBRnWimI002EtM3MHdNMNxijBtBRnWimI00OVbd5EtMb:2d6NxKBtBRSZHKd6NxKBtBRSZ7VJjb
                                MD5:6D86F9B2BC32E5AAD8FDB49FFD43F94A
                                SHA1:B2CD5F8A87D637F5C6E2C87C5CE4C459F9C7476E
                                SHA-256:C507957165F8EFB8BBD112C908FCADEB73E9C692A74F5029C760F2833DC91C3D
                                SHA-512:F98ADC890C978F2F0EBF298A459196C5CA846791B93219E20B6850CE9DC5F4F4A4795CC47815B0A048B423C261F5DA18D9CC8DD48C8582974E6F2162672F9B56
                                Malicious:false
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):659
                                Entropy (8bit):5.09846477693444
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxhGw84l74lMnWimI002EtM3MHdNMNxhGw84l74lMnWimI00OVb8K075Es:2d6NxQ20MSZHKd6NxQ20MSZ7VYKajb
                                MD5:8558B33EC3D187F4FEF608A562E12D80
                                SHA1:C23BFD2A6FF524C8A9715E511AADE7098557E533
                                SHA-256:BCC0B19E079D29D80757A892E266CBA59A1995B3DC3A35ECAD56734F3BBA2C90
                                SHA-512:4C4899BB375B036EA6E4A1EFD368DB3A7B35C35C5183F47100E67294E333812B174DB5F76DE6DBEEEF2CE8274A9BF71D7E266CB7CC902576479A8F70E573F78B
                                Malicious:false
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):656
                                Entropy (8bit):5.070985183767182
                                Encrypted:false
                                SSDEEP:12:TMHdNMNx0n84l74lMnWimI002EtM3MHdNMNx0n84l74lMnWimI00OVbxEtMb:2d6Nx0D0MSZHKd6Nx0D0MSZ7Vnb
                                MD5:94B687BCE7F42C5FCE98156DCCFE1165
                                SHA1:EA18499D3B3777B83145C8110A688BDBE3536772
                                SHA-256:6CDFB7D1E0467264EE8C0418794EAADE5209140F06B5721B921F4FC81BD7EE93
                                SHA-512:844CD404DEFA95E66544CBE8CF705313587932E32BB694CA967ED66B70C483D816042A2C18D35BC29D3A0DA2BA08DE54DDFCEEE8BC56DF45B4DBEBC870135AD1
                                Malicious:false
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):659
                                Entropy (8bit):5.109499180513016
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxxjBtBRnWimI002EtM3MHdNMNxxjBq4lMnWimI00OVb6Kq5EtMb:2d6NxRBtBRSZHKd6NxRBtMSZ7Vob
                                MD5:D1BB70C7AEC00622B4B93AAF50742418
                                SHA1:3D191B22DE45823A85E2B2151842F88EA2DD159B
                                SHA-256:F25615F8A56F3B23763B8A7DD15C1C117909C685F3B7CAF6D071107EA2FCC28D
                                SHA-512:16B4312C6D7E2410B88035B923CC410CE6C80D1C17F8C58981E1E73BFEFE387E76FBAAEB1BEF9659CFC31C5890C582E64BA9F1966C50C0DBE728246A18ACE30F
                                Malicious:false
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):662
                                Entropy (8bit):5.0736778920006635
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxcjBtBRnWimI002EtM3MHdNMNxcjBtBRnWimI00OVbVEtMb:2d6NxQBtBRSZHKd6NxQBtBRSZ7VDb
                                MD5:8FFB06B03840C41C277CF7B6C3EDF51C
                                SHA1:1ABDF733FB6F9183040F0443B3206FBBBB0BB692
                                SHA-256:E53959D9D9012CBD7602EA6E30B632AF76113536B96855F7D88602B2E770BC17
                                SHA-512:2D9DF8B20A60115E9F3414823CF4BCFA432D6DEF3CF992EA797BE5F5E8D83702A8D8961EE85F1F1AC67C6AAA6C3732DBB913AD4DBA2B4A766842104EA3527E87
                                Malicious:false
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):656
                                Entropy (8bit):5.061334817329456
                                Encrypted:false
                                SSDEEP:12:TMHdNMNxfnjBtBRnWimI002EtM3MHdNMNxfnjBtBRnWimI00OVbe5EtMb:2d6NxLBtBRSZHKd6NxLBtBRSZ7Vijb
                                MD5:8A8289DB3625D7AFB565EC722F6AA989
                                SHA1:2551F20C55637F97DCE84BA7A9B74F5C06C474AD
                                SHA-256:537D95D201DD28532C259CAC26D3A9E917CBBE6B4D39B25FA265B291D139802D
                                SHA-512:71D9011162826FB05745B5FA32F94E824809588AD2155D91436853D3257FE86F51BC19F2DB6527CE4C6C8B1B97B3734EAB3781E7DE438ACF169959D94584CEB7
                                Malicious:false
                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\NewErrorPageTemplate[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1612
                                Entropy (8bit):4.869554560514657
                                Encrypted:false
                                SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                MD5:DFEABDE84792228093A5A270352395B6
                                SHA1:E41258C9576721025926326F76063C2305586F76
                                SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                Malicious:false
                                Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\down[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):748
                                Entropy (8bit):7.249606135668305
                                Encrypted:false
                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                Malicious:false
                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\errorPageStrings[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):5.164796203267696
                                Encrypted:false
                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                Malicious:false
                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\NewErrorPageTemplate[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1612
                                Entropy (8bit):4.869554560514657
                                Encrypted:false
                                SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                MD5:DFEABDE84792228093A5A270352395B6
                                SHA1:E41258C9576721025926326F76063C2305586F76
                                SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                Malicious:false
                                Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\dnserror[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2997
                                Entropy (8bit):4.4885437940628465
                                Encrypted:false
                                SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                MD5:2DC61EB461DA1436F5D22BCE51425660
                                SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                Malicious:false
                                Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\down[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):748
                                Entropy (8bit):7.249606135668305
                                Encrypted:false
                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                Malicious:false
                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\httpErrorPagesScripts[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):12105
                                Entropy (8bit):5.451485481468043
                                Encrypted:false
                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                MD5:9234071287E637F85D721463C488704C
                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                Malicious:false
                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\dnserror[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2997
                                Entropy (8bit):4.4885437940628465
                                Encrypted:false
                                SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                MD5:2DC61EB461DA1436F5D22BCE51425660
                                SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                Malicious:false
                                Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\errorPageStrings[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):5.164796203267696
                                Encrypted:false
                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                Malicious:false
                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\httpErrorPagesScripts[1]
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):12105
                                Entropy (8bit):5.451485481468043
                                Encrypted:false
                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                MD5:9234071287E637F85D721463C488704C
                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                Malicious:false
                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):89
                                Entropy (8bit):4.45974266689267
                                Encrypted:false
                                SSDEEP:3:oVXUp0f2c8JOGXnEp0f2TLun:o9UpGqEpU
                                MD5:2255590FBF7B2B2DE3B8ABF420E87CE1
                                SHA1:49D48DC36BAC1FE9D0AC98A2C981451B3A3B213F
                                SHA-256:9230DC2F04354883072E5A1F94D04C9F618E863937CAC067992C5500F937E91C
                                SHA-512:540B6B368FD1173F9635D3E05B936F713593123A44738FCC9C25E9D8AC8DCEC38607BA952BFA10578FA444C964EB0C5142FBF4DA653B24783CF93B040210A945
                                Malicious:false
                                Preview: [2021/09/10 11:07:58.739] Latest deploy version: ..[2021/09/10 11:07:58.739] 11.211.2 ..
                                C:\Users\user\AppData\Local\Temp\~DF54FE3B7C7FD18873.TMP
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):12933
                                Entropy (8bit):0.4085493096259837
                                Encrypted:false
                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lo/9lo/9lWsSKMJ:kBqoIg+J
                                MD5:EBBDD5B53D8E906796F7500DD2255B8D
                                SHA1:134C6ED30946D5C9B8D052EF9D3F5D6FEEE45602
                                SHA-256:578F3EE53F83BF3D32B9D77EE25801BF0F7885C1878BD52DA67151936CCFFE70
                                SHA-512:F96DFD204FB925AEC0381AB1F9F204A1888A54300671D0B3142B5DC1C7954262DB1940F9A5853D9A877EC8AC7392B28D484C3CA4F8F48299CFBE010020E2605D
                                Malicious:false
                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\~DF849AFB3A04ECE3BF.TMP
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38737
                                Entropy (8bit):0.37139184013210086
                                Encrypted:false
                                SSDEEP:48:kBqoxKAuvScS+Ye0F5I5wTyDZTyDbTyDU:kBqoxKAuvScS+Ye0FO2KQN
                                MD5:D02335560B534BE6D104EB2EB3FB9272
                                SHA1:3C720A2CB2EEC0F62A256E4FA314E5CD2195312F
                                SHA-256:1602942D59034772849BAE5AF52258B4D4EFA68E4F0172BB634E09A4F551617E
                                SHA-512:878F942F89977EFABDA185E151D19DA95B64C4696EC0E72A1043FEED165706BA4D1CD95C2CB9F7C9B11A70125173D8D706938732089399D18D5E8AA5CA21A934
                                Malicious:false
                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\~DF9956526A696EBC76.TMP
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):12933
                                Entropy (8bit):0.40921707933435686
                                Encrypted:false
                                SSDEEP:12:c9lCg5/9lCgeK9l26an9l26an9l8fR29l8fRm9lTqRQQlF3RQlU1:c9lLh9lLh9lIn9lIn9lo29lom9lWJRqK
                                MD5:E579AF038EA387295A731A257EA4BC05
                                SHA1:9AF1A8BF9BDF61AEEE4C4264C454414A36B8D1C4
                                SHA-256:6B2DA325B9D1F280C27A0E08061DD874D86BBD80A8FF4A2282A36FF2F04471EA
                                SHA-512:2B55CCF8366BF98FC6C5D83662C0E360B0CF4B92A91EC277C6527ABA1EB03E1C47D7B3E83BF4BC61E3309D1DCB45E783E63130821C01584FD32BAA8FB0E28E78
                                Malicious:false
                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\~DFD9B906886E0EC1C2.TMP
                                Process:C:\Program Files\internet explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):38737
                                Entropy (8bit):0.3715571594200072
                                Encrypted:false
                                SSDEEP:48:kBqoxKAuvScS+QWMNxIxw3yDZ3yDb3yDU:kBqoxKAuvScS+QWMNWu+EB
                                MD5:7AC15FDA26FE401C71736DE922177826
                                SHA1:FCC5B6B4616DE0E693444C8720BDBA92E4EB8FB9
                                SHA-256:2A0C19E55C64CB545BC8A80D78C406AD56B6477CAE0EBC9866A0E4155D1913CE
                                SHA-512:7B2AE9C4B42A1EC744B01B7040179785CF5F90B167EBC13340E5D06B2707E535B5936B45BBD7EEA8BB56B4B74AE70D7A116C20CE8290915EE9F0F33CCF28FD1D
                                Malicious:false
                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.61438464019549
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:CGd7lq6RDL.exe
                                File size:901960
                                MD5:c7b71f03f190a5da3e4976f37194419f
                                SHA1:8e750d01e1a5edb2c320e1b0b703b5823f241587
                                SHA256:930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921
                                SHA512:d274bcc78a5916220e51036b8a24b82f165a03736fb829a76a01d96bd5c224b0624b3ebf592a5b06a5bd9d04cc5c7aff0e47bca908782dd27b226fb953f2cc6e
                                SSDEEP:24576:v9PsA9vHAYobFGQdRPylSk61LXXh5xvZjmtk1/GqgLGS:QYyJk61bRnZjmWGGS
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p..............`.......`.......`..........o............`......m8.......`.......`.......`......Rich...........................

                                File Icon

                                Icon Hash:f0b0e8e4e4e8b2dc

                                Static PE Info

                                General

                                Entrypoint:0x1005725
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x1000000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                Time Stamp:0x55E85856 [Thu Sep 3 14:25:26 2015 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:264c61a35ad2f260d533f2d7b897c2a5

                                Authenticode Signature

                                Signature Valid:false
                                Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                Signature Validation Error:No signature was present in the subject
                                Error Number:-2146762496
                                Not Before, Not After
                                • 4/12/2021 5:00:00 PM 4/13/2022 4:59:59 PM
                                Subject Chain
                                • CN=FORTH PROPERTY LTD, O=FORTH PROPERTY LTD, L=Edinburgh, C=GB
                                Version:3
                                Thumbprint MD5:8AB6A86211EE700AA961C3292ADB312D
                                Thumbprint SHA-1:A533DFA7E6AED2A9FFBE41FCEC5A8927A6EAFBBB
                                Thumbprint SHA-256:9E0611728595A506CC2A55486FDD88ECA0971EF0B08F74CB3B3B6F5F6F3C7E27
                                Serial:239664C12BAEB5A6D787912888051392

                                Entrypoint Preview

                                Instruction
                                call 00007F57C8B85450h
                                jmp 00007F57C8B7E365h
                                push 00000014h
                                push 0108A9F8h
                                call 00007F57C8B8333Ah
                                call 00007F57C8B7EB3Bh
                                movzx esi, ax
                                push 00000002h
                                call 00007F57C8B853E3h
                                pop ecx
                                mov eax, 00005A4Dh
                                cmp word ptr [01000000h], ax
                                je 00007F57C8B7E366h
                                xor ebx, ebx
                                jmp 00007F57C8B7E395h
                                mov eax, dword ptr [0100003Ch]
                                cmp dword ptr [eax+01000000h], 00004550h
                                jne 00007F57C8B7E34Dh
                                mov ecx, 0000010Bh
                                cmp word ptr [eax+01000018h], cx
                                jne 00007F57C8B7E33Fh
                                xor ebx, ebx
                                cmp dword ptr [eax+01000074h], 0Eh
                                jbe 00007F57C8B7E36Bh
                                cmp dword ptr [eax+010000E8h], ebx
                                setne bl
                                mov dword ptr [ebp-1Ch], ebx
                                call 00007F57C8B8328Dh
                                test eax, eax
                                jne 00007F57C8B7E36Ah
                                push 0000001Ch
                                call 00007F57C8B7E487h
                                pop ecx
                                call 00007F57C8B8474Bh
                                test eax, eax
                                jne 00007F57C8B7E36Ah
                                push 00000010h
                                call 00007F57C8B7E476h
                                pop ecx
                                call 00007F57C8B8545Ch
                                and dword ptr [ebp-04h], 00000000h
                                call 00007F57C8B84D47h
                                test eax, eax
                                jns 00007F57C8B7E36Ah
                                push 0000001Bh
                                call 00007F57C8B7E45Ch
                                pop ecx
                                call dword ptr [0106A19Ch]
                                mov dword ptr [010AC3A8h], eax
                                call 00007F57C8B85477h
                                mov dword ptr [01097A94h], eax
                                call 00007F57C8B85034h
                                test eax, eax
                                jns 00007F57C8B7E36Ah

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8ccf80x8c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xad0000x41028.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0xda0000x2348.rsrc
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xef0000x4d50.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x6a3b00x38.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x879400x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x6a0000x328.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x681b90x68200False0.623956613896data6.85142771967IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rdata0x6a0000x23f8a0x24000False0.641723632812data6.36645327435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x8e0000x1e3ac0x7a00False0.527792008197data6.51367686644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0xad0000x410280x41200False0.240744211852data5.36312234805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xef0000x4d500x4e00False0.730168269231data6.65913941378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0xad4340x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                RT_ICON0xbdc5c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16580607, next used block 4294917888EnglishUnited States
                                RT_ICON0xc1e840x25a8dataEnglishUnited States
                                RT_ICON0xc442c0x10a8dataEnglishUnited States
                                RT_ICON0xc54d40x988dataEnglishUnited States
                                RT_ICON0xc5e5c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_ICON0xc62c40x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                RT_ICON0xd6aec0x94a8dataEnglishUnited States
                                RT_ICON0xdff940x5488dataEnglishUnited States
                                RT_ICON0xe541c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696EnglishUnited States
                                RT_ICON0xe96440x25a8dataEnglishUnited States
                                RT_ICON0xebbec0x10a8dataEnglishUnited States
                                RT_ICON0xecc940x988dataEnglishUnited States
                                RT_ICON0xed61c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_STRING0xeda840xbcdataEnglishUnited States
                                RT_STRING0xedb400x150dataEnglishUnited States
                                RT_GROUP_ICON0xedc900x76dataEnglishUnited States
                                RT_GROUP_ICON0xedd080x5adataEnglishUnited States
                                RT_VERSION0xedd640x2c4dataEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllGetLastError, VirtualProtectEx, LoadLibraryA, OpenMutexA, SetConsoleOutputCP, DeviceIoControl, GetModuleFileNameA, CloseHandle, DeleteFileA, WriteConsoleW, SetStdHandle, GetStringTypeW, LoadLibraryW, WaitForMultipleObjectsEx, GetStartupInfoA, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, CreateProcessA, Sleep, GetTickCount, SetFilePointerEx, GetCurrentProcess, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, ReleaseSemaphore, SetProcessAffinityMask, VirtualProtect, VirtualFree, VirtualAlloc, GetVersionExW, GetModuleHandleA, FreeLibraryAndExitThread, FreeLibrary, GetThreadTimes, OutputDebugStringW, FatalAppExitA, SetConsoleCtrlHandler, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapSize, GetProcessHeap, GetModuleFileNameW, WriteFile, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, AreFileApisANSI, GetModuleHandleExW, ExitProcess, IsDebuggerPresent, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, WaitForSingleObjectEx, SetEvent, DuplicateHandle, WaitForSingleObject, GetCurrentThread, GetCurrentThreadId, GetExitCodeThread, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapAlloc, EncodePointer, DecodePointer, GetCommandLineA, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, CreateSemaphoreW, CreateThread, ExitThread, LoadLibraryExW, RaiseException, RtlUnwind, HeapFree, TryEnterCriticalSection, CreateTimerQueue, RtlCaptureStackBackTrace, CreateFileW
                                USER32.dllEnumWindows, SetWindowTextA, GetClassInfoExA, CallNextHookEx, DefWindowProcA, GetWindowLongA, IsDialogMessageA, CheckDlgButton, SendMessageA, CreateWindowExA, GetIconInfo, LoadBitmapA, ReleaseDC
                                ole32.dllCoUninitialize, OleSetContainedObject, OleInitialize, CoSuspendClassObjects, OleUninitialize, StgCreateDocfile, CoInitialize
                                COMCTL32.dllImageList_LoadImageA, PropertySheetA, CreatePropertySheetPageA
                                WINSPOOL.DRVDeletePortA, SetPrinterDataA, DeleteFormA, SetPortA, SetPrinterDataExA, AddMonitorA, ScheduleJob, AddPrinterConnectionA, ReadPrinter, AddPrinterDriverA, GetPrinterDataA, ResetPrinterA, PrinterMessageBoxA, DeletePrintProcessorA, GetPrinterDriverDirectoryA, OpenPrinterA, AddPortA, ConfigurePortA, GetPrinterDataExA, GetJobA, AddPrinterDriverExA, ClosePrinter, DeletePrinterDataExA, DeletePrinterConnectionA, DeletePrintProvidorA, StartPagePrinter, AbortPrinter, GetPrintProcessorDirectoryA, StartDocPrinterA, GetPrinterA, AddPrinterA, DeletePrinter, DeleteMonitorA, GetPrinterDriverA, AddFormA, DeletePrinterDriverA, AddPrintProcessorA, AddPrintProvidorA, SetFormA, GetFormA, DeletePrinterDataA, AddJobA, FlushPrinter, DeletePrinterDriverExA, SetJobA, FindClosePrinterChangeNotification, DeletePrinterKeyA
                                sfc.dllSfcIsFileProtected

                                Version Infos

                                DescriptionData
                                LegalCopyright(C) 2011 Helpwould Use Corporation. All rights reserved.
                                FileVersion14.1.55.63
                                CompanyNameHelpwould Use Corporation
                                ProductNameDeathice
                                ProductVersion14.1.55.63
                                FileDescriptionDeathice The Certain
                                Translation0x0409 0x04b0

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 10, 2021 11:06:21.448654890 CEST6134653192.168.2.68.8.8.8
                                Sep 10, 2021 11:06:21.493897915 CEST53613468.8.8.8192.168.2.6
                                Sep 10, 2021 11:06:53.865333080 CEST5177453192.168.2.68.8.8.8
                                Sep 10, 2021 11:06:53.929404020 CEST53517748.8.8.8192.168.2.6
                                Sep 10, 2021 11:06:53.964871883 CEST5602353192.168.2.68.8.8.8
                                Sep 10, 2021 11:06:54.011905909 CEST53560238.8.8.8192.168.2.6
                                Sep 10, 2021 11:06:55.753245115 CEST5838453192.168.2.68.8.8.8
                                Sep 10, 2021 11:06:55.780266047 CEST53583848.8.8.8192.168.2.6
                                Sep 10, 2021 11:06:55.787014008 CEST6026153192.168.2.68.8.8.8
                                Sep 10, 2021 11:06:55.822834015 CEST53602618.8.8.8192.168.2.6
                                Sep 10, 2021 11:06:55.827631950 CEST5606153192.168.2.68.8.8.8
                                Sep 10, 2021 11:06:55.860533953 CEST53560618.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:07.075915098 CEST5833653192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:07.111475945 CEST53583368.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:16.884601116 CEST5378153192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:16.909770966 CEST53537818.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:17.181979895 CEST5406453192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:17.209393978 CEST53540648.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:17.486625910 CEST5281153192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:17.522180080 CEST53528118.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:18.008420944 CEST5529953192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:18.049886942 CEST53552998.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:18.152832985 CEST6374553192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:18.185734987 CEST53637458.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:18.950604916 CEST5005553192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:18.986200094 CEST53500558.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:20.110042095 CEST6137453192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:20.145612955 CEST53613748.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:20.922857046 CEST5033953192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:20.947657108 CEST53503398.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:21.460520983 CEST6330753192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:21.487721920 CEST53633078.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:22.586220980 CEST4969453192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:22.615192890 CEST53496948.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:23.401758909 CEST5498253192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:23.430073977 CEST53549828.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:23.976695061 CEST5001053192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:24.002204895 CEST53500108.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:24.023852110 CEST6371853192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:24.059715033 CEST53637188.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:25.023277998 CEST5001053192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:25.052836895 CEST53500108.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:26.065984011 CEST5001053192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:26.091372967 CEST53500108.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:28.112319946 CEST5001053192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:28.141316891 CEST53500108.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:32.175029039 CEST5001053192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:32.200123072 CEST53500108.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:34.064095020 CEST6211653192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:34.101579905 CEST53621168.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:53.886810064 CEST6381653192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:53.924086094 CEST53638168.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:57.867489100 CEST5501453192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:57.895629883 CEST53550148.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:59.157938004 CEST6220853192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:59.194992065 CEST53622088.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:59.203895092 CEST5757453192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:59.235157013 CEST53575748.8.8.8192.168.2.6
                                Sep 10, 2021 11:07:59.246572971 CEST5181853192.168.2.68.8.8.8
                                Sep 10, 2021 11:07:59.282083988 CEST53518188.8.8.8192.168.2.6
                                Sep 10, 2021 11:08:11.272790909 CEST5662853192.168.2.68.8.8.8
                                Sep 10, 2021 11:08:11.318645954 CEST53566288.8.8.8192.168.2.6
                                Sep 10, 2021 11:08:12.740608931 CEST6077853192.168.2.68.8.8.8
                                Sep 10, 2021 11:08:12.786256075 CEST53607788.8.8.8192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Sep 10, 2021 11:06:55.753245115 CEST192.168.2.68.8.8.80x8a0aStandard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:06:55.787014008 CEST192.168.2.68.8.8.80x12f1Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:06:55.827631950 CEST192.168.2.68.8.8.80x1e50Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:07.075915098 CEST192.168.2.68.8.8.80x1875Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:17.181979895 CEST192.168.2.68.8.8.80x5c25Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:59.157938004 CEST192.168.2.68.8.8.80xa945Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:59.203895092 CEST192.168.2.68.8.8.80xb867Standard query (0)haverit.xyzA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:59.246572971 CEST192.168.2.68.8.8.80x195dStandard query (0)haverit.xyzA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Sep 10, 2021 11:06:55.780266047 CEST8.8.8.8192.168.2.60x8a0aName error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:06:55.822834015 CEST8.8.8.8192.168.2.60x12f1Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:06:55.860533953 CEST8.8.8.8192.168.2.60x1e50Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:07.111475945 CEST8.8.8.8192.168.2.60x1875Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:17.209393978 CEST8.8.8.8192.168.2.60x5c25Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:59.194992065 CEST8.8.8.8192.168.2.60xa945Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:59.235157013 CEST8.8.8.8192.168.2.60xb867Name error (3)haverit.xyznonenoneA (IP address)IN (0x0001)
                                Sep 10, 2021 11:07:59.282083988 CEST8.8.8.8192.168.2.60x195dName error (3)haverit.xyznonenoneA (IP address)IN (0x0001)

                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Start time:11:06:27
                                Start date:10/09/2021
                                Path:C:\Users\user\Desktop\CGd7lq6RDL.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\CGd7lq6RDL.exe'
                                Imagebase:0x1000000
                                File size:901960 bytes
                                MD5 hash:C7B71F03F190A5DA3E4976F37194419F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Start time:11:06:53
                                Start date:10/09/2021
                                Path:C:\Program Files\internet explorer\iexplore.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                Imagebase:0x7ff721e20000
                                File size:823560 bytes
                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:11:06:54
                                Start date:10/09/2021
                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
                                Imagebase:0x910000
                                File size:822536 bytes
                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:11:07:57
                                Start date:10/09/2021
                                Path:C:\Program Files\internet explorer\iexplore.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                Imagebase:0x7ff721e20000
                                File size:823560 bytes
                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:11:07:58
                                Start date:10/09/2021
                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
                                Imagebase:0x910000
                                File size:822536 bytes
                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >