Analysis

Category Package Started Completed Duration Options Log
URL ie 2019-10-08 10:48:20 2019-10-08 10:52:04 224 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-08 11:48:20,000 [root] INFO: Date set to: 10-08-19, time set to: 10:48:20, timeout set to: 200
2019-10-08 11:48:20,015 [root] DEBUG: Starting analyzer from: C:\iuelruc
2019-10-08 11:48:20,015 [root] DEBUG: Storing results at: C:\WsOTxHK
2019-10-08 11:48:20,015 [root] DEBUG: Pipe server name: \\.\PIPE\XiUrPIvjDi
2019-10-08 11:48:20,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-08 11:48:20,015 [root] INFO: Automatically selected analysis package "ie"
2019-10-08 11:48:20,404 [root] DEBUG: Started auxiliary module Browser
2019-10-08 11:48:20,404 [root] DEBUG: Started auxiliary module Curtain
2019-10-08 11:48:20,404 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2019-10-08 11:48:20,404 [root] DEBUG: Started auxiliary module DigiSig
2019-10-08 11:48:20,436 [root] DEBUG: Started auxiliary module Disguise
2019-10-08 11:48:20,436 [root] DEBUG: Started auxiliary module Human
2019-10-08 11:48:20,436 [root] DEBUG: Started auxiliary module Screenshots
2019-10-08 11:48:20,436 [root] DEBUG: Started auxiliary module Sysmon
2019-10-08 11:48:20,436 [root] DEBUG: Started auxiliary module Usage
2019-10-08 11:48:20,436 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2019-10-08 11:48:20,436 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2019-10-08 11:48:20,561 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""https://attractionsyborcity.icu/26d9b8005c8a55d55fd9d02d7e8e9504/index.html?ip=121.99.158.83&siteid=YjY0Mjg1MDg3MTI3NzA4MDczOTIjMTU3MDUyODQyN0A1MDYwQF8yNzVmMjExMTk3ZmEyYjlmNDgyMGQzMWY1YjA1NGZjNw&trackid=20191008095548859"" with pid 2112
2019-10-08 11:48:20,576 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 11:48:20,576 [lib.api.process] INFO: 32-bit DLL to inject is C:\iuelruc\dll\YZbZOjQu.dll, loader C:\iuelruc\bin\JODqyZr.exe
2019-10-08 11:48:20,701 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XiUrPIvjDi.
2019-10-08 11:48:20,701 [root] DEBUG: Loader: Injecting process 2112 (thread 1936) with C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:20,701 [root] DEBUG: Process image base: 0x00E10000
2019-10-08 11:48:20,701 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:20,701 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EB6000 - 0x77110000
2019-10-08 11:48:20,701 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x00EC0000.
2019-10-08 11:48:20,701 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-08 11:48:20,701 [root] DEBUG: Successfully injected DLL C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:20,701 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2112
2019-10-08 11:48:22,730 [lib.api.process] INFO: Successfully resumed process with pid 2112
2019-10-08 11:48:22,730 [root] INFO: Added new process to list with pid: 2112
2019-10-08 11:48:22,822 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-08 11:48:22,822 [root] DEBUG: Process dumps enabled.
2019-10-08 11:48:22,885 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-08 11:48:22,885 [root] INFO: Disabling sleep skipping.
2019-10-08 11:48:22,885 [root] INFO: Disabling sleep skipping.
2019-10-08 11:48:22,885 [root] INFO: Disabling sleep skipping.
2019-10-08 11:48:22,885 [root] INFO: Disabling sleep skipping.
2019-10-08 11:48:22,885 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2112 at 0x74940000, image base 0xe10000, stack from 0x3c2000-0x3d0000
2019-10-08 11:48:22,885 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https:\attractionsyborcity.icu\26d9b8005c8a55d55fd9d02d7e8e9504\index.html?ip=121.99.158.83&siteid=YjY0Mjg1MDg3MTI3NzA4MDczOTIjMTU3MDUyODQyN0A1MDYwQF8
2019-10-08 11:48:22,885 [root] INFO: Monitor successfully loaded in process with pid 2112.
2019-10-08 11:48:22,917 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-08 11:48:22,947 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-08 11:48:22,979 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-08 11:48:22,994 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-08 11:48:23,026 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-08 11:48:23,042 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-08 11:48:23,042 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-08 11:48:23,072 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-08 11:48:23,072 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-08 11:48:23,072 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-08 11:48:23,072 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-08 11:48:23,088 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-08 11:48:23,104 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-10-08 11:48:23,119 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-08 11:48:23,119 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-08 11:48:23,119 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-08 11:48:23,134 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-08 11:48:23,134 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-08 11:48:23,213 [root] DEBUG: DLL loaded at 0x74360000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-08 11:48:23,213 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-08 11:48:23,213 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 11:48:23,213 [root] DEBUG: DLL unloaded from 0x74360000.
2019-10-08 11:48:23,213 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-08 11:48:23,213 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-08 11:48:23,243 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-08 11:48:23,243 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-08 11:48:23,338 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-08 11:48:23,338 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-08 11:48:23,368 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2308
2019-10-08 11:48:23,368 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 11:48:23,368 [lib.api.process] INFO: 32-bit DLL to inject is C:\iuelruc\dll\YZbZOjQu.dll, loader C:\iuelruc\bin\JODqyZr.exe
2019-10-08 11:48:23,368 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XiUrPIvjDi.
2019-10-08 11:48:23,368 [root] DEBUG: Loader: Injecting process 2308 (thread 844) with C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:23,368 [root] DEBUG: Process image base: 0x00E10000
2019-10-08 11:48:23,368 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:23,368 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00EB6000 - 0x77110000
2019-10-08 11:48:23,368 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x00EC0000.
2019-10-08 11:48:23,368 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-08 11:48:23,368 [root] DEBUG: Successfully injected DLL C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:23,368 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2308
2019-10-08 11:48:23,368 [root] DEBUG: DLL unloaded from 0x00E10000.
2019-10-08 11:48:23,368 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 2308
2019-10-08 11:48:23,368 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 11:48:23,368 [lib.api.process] INFO: 32-bit DLL to inject is C:\iuelruc\dll\YZbZOjQu.dll, loader C:\iuelruc\bin\JODqyZr.exe
2019-10-08 11:48:23,368 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XiUrPIvjDi.
2019-10-08 11:48:23,368 [root] DEBUG: Loader: Injecting process 2308 (thread 844) with C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:23,368 [root] DEBUG: Process image base: 0x00E10000
2019-10-08 11:48:23,384 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:23,384 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-08 11:48:23,384 [root] DEBUG: Successfully injected DLL C:\iuelruc\dll\YZbZOjQu.dll.
2019-10-08 11:48:23,384 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2308
2019-10-08 11:48:23,384 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-08 11:48:23,384 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-08 11:48:23,384 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-08 11:48:23,384 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-08 11:48:23,384 [root] DEBUG: Process dumps enabled.
2019-10-08 11:48:23,384 [root] INFO: Disabling sleep skipping.
2019-10-08 11:48:23,384 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-08 11:48:23,384 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-08 11:48:23,384 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-08 11:48:23,384 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-08 11:48:23,384 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2308 at 0x74940000, image base 0xe10000, stack from 0x3e2000-0x3f0000
2019-10-08 11:48:23,384 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2112 CREDAT:79873.
2019-10-08 11:48:23,384 [root] INFO: Added new process to list with pid: 2308
2019-10-08 11:48:23,384 [root] INFO: Monitor successfully loaded in process with pid 2308.
2019-10-08 11:48:23,400 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:48:23,400 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-08 11:48:23,400 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-08 11:48:23,400 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-08 11:48:23,400 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-08 11:48:23,400 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-08 11:48:23,400 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-08 11:48:23,400 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-08 11:48:23,415 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-08 11:48:23,431 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-08 11:48:23,447 [root] DEBUG: DLL loaded at 0x742D0000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-10-08 11:48:23,447 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-08 11:48:23,447 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-08 11:48:23,447 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-08 11:48:23,463 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-08 11:48:23,463 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-08 11:48:23,463 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-08 11:48:23,463 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-08 11:48:23,477 [root] DEBUG: DLL loaded at 0x74230000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-08 11:48:23,477 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-08 11:48:23,477 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 11:48:23,477 [root] DEBUG: DLL unloaded from 0x74230000.
2019-10-08 11:48:23,477 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-08 11:48:23,477 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-08 11:48:23,477 [lib.api.process] INFO: 64-bit DLL to inject is C:\iuelruc\dll\AtvJcKC.dll, loader C:\iuelruc\bin\sprrxoDU.exe
2019-10-08 11:48:23,477 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XiUrPIvjDi.
2019-10-08 11:48:23,493 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\iuelruc\dll\AtvJcKC.dll.
2019-10-08 11:48:23,493 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1636, handle 0x84
2019-10-08 11:48:23,493 [root] DEBUG: Process image base: 0x00000000FF900000
2019-10-08 11:48:23,493 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-08 11:48:23,493 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-08 11:48:23,493 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-08 11:48:23,493 [root] DEBUG: DLL loaded at 0x741F0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-08 11:48:23,493 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-08 11:48:23,493 [root] DEBUG: DLL unloaded from 0x74810000.
2019-10-08 11:48:23,493 [root] DEBUG: DLL unloaded from 0x741F0000.
2019-10-08 11:48:23,509 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-08 11:48:23,509 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-08 11:48:23,509 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-08 11:48:23,509 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-08 11:48:23,509 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-08 11:48:23,509 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-08 11:48:23,509 [root] DEBUG: Process dumps enabled.
2019-10-08 11:48:23,525 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-08 11:48:23,525 [root] INFO: Disabling sleep skipping.
2019-10-08 11:48:23,540 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-08 11:48:23,540 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-08 11:48:23,555 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-08 11:48:23,588 [root] WARNING: Unable to place hook on LockResource
2019-10-08 11:48:23,588 [root] WARNING: Unable to hook LockResource
2019-10-08 11:48:23,680 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000074100000, image base 0x00000000FF900000, stack from 0x0000000004382000-0x0000000004390000
2019-10-08 11:48:23,680 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-08 11:48:23,680 [root] INFO: Added new process to list with pid: 1632
2019-10-08 11:48:23,680 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-08 11:48:23,697 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-08 11:48:23,697 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-08 11:48:23,697 [root] DEBUG: Successfully injected DLL C:\iuelruc\dll\AtvJcKC.dll.
2019-10-08 11:48:23,727 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-10-08 11:48:23,743 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-08 11:48:23,789 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-08 11:48:23,789 [root] DEBUG: DLL loaded at 0x74000000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-08 11:48:23,805 [root] DEBUG: DLL unloaded from 0x74000000.
2019-10-08 11:48:23,822 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-08 11:48:23,852 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-08 11:48:23,977 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-08 11:48:23,977 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-08 11:48:23,977 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-08 11:48:23,977 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-08 11:48:23,993 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-10-08 11:48:24,101 [root] DEBUG: DLL loaded at 0x73D60000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2019-10-08 11:48:24,134 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\DUser (0x2f000 bytes).
2019-10-08 11:48:24,148 [root] DEBUG: DLL loaded at 0x73C70000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2019-10-08 11:48:24,243 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-08 11:48:24,243 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-08 11:48:24,243 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-08 11:48:24,243 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-08 11:48:24,243 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-08 11:48:24,243 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-08 11:48:24,257 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-08 11:48:24,257 [root] DEBUG: DLL loaded at 0x73F90000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-08 11:48:24,257 [root] DEBUG: DLL loaded at 0x73BD0000: C:\Windows\system32\msfeeds (0x96000 bytes).
2019-10-08 11:48:24,321 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-08 11:48:24,351 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-08 11:48:24,368 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-08 11:48:24,368 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-08 11:48:24,382 [root] DEBUG: DLL loaded at 0x73F00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-08 11:48:24,398 [root] DEBUG: DLL loaded at 0x73B80000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2019-10-08 11:48:24,398 [root] DEBUG: DLL loaded at 0x73AE0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2019-10-08 11:48:24,398 [root] DEBUG: DLL loaded at 0x72EE0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2019-10-08 11:48:24,430 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2019-10-08 11:48:24,694 [root] DEBUG: DLL loaded at 0x72DA0000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2019-10-08 11:48:24,710 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-08 11:48:24,710 [root] DEBUG: DLL loaded at 0x72ED0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2019-10-08 11:48:24,710 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2019-10-08 11:48:24,726 [root] DEBUG: DLL loaded at 0x72EB0000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2019-10-08 11:48:24,757 [root] DEBUG: DLL loaded at 0x72EA0000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2019-10-08 11:48:24,789 [root] DEBUG: DLL loaded at 0x72CE0000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2019-10-08 11:48:24,789 [root] DEBUG: set_caller_info: Adding region at 0x04560000 to caller regions list (ntdll::LdrLoadDll).
2019-10-08 11:48:24,803 [root] DEBUG: set_caller_info: Adding region at 0x02490000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-08 11:48:24,819 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-08 11:48:24,835 [root] DEBUG: DLL loaded at 0x72E40000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-08 11:48:24,898 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-08 11:48:24,898 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-08 11:48:24,898 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-08 11:48:24,898 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-08 11:48:24,898 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-08 11:48:24,898 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:48:24,898 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-08 11:48:24,898 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x742C0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x741F0000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-08 11:48:24,914 [root] DEBUG: DLL unloaded from 0x74810000.
2019-10-08 11:48:24,914 [root] DEBUG: DLL unloaded from 0x741F0000.
2019-10-08 11:48:24,976 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 11:48:24,976 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-08 11:48:24,992 [root] DEBUG: DLL loaded at 0x72CC0000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-10-08 11:48:24,992 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\wintrust (0x2d000 bytes).
2019-10-08 11:48:25,023 [root] DEBUG: DLL loaded at 0x72C80000: C:\Windows\system32\schannel (0x3a000 bytes).
2019-10-08 11:48:25,053 [root] DEBUG: DLL loaded at 0x72C60000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2019-10-08 11:48:25,069 [root] DEBUG: DLL loaded at 0x72E40000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-08 11:48:25,085 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-08 11:48:25,115 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 11:48:25,786 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:48:26,115 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico" does not exist, skip.
2019-10-08 11:48:27,207 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:48:27,285 [root] DEBUG: DLL loaded at 0x72C50000: C:\Windows\system32\credssp (0x8000 bytes).
2019-10-08 11:48:27,299 [root] DEBUG: DLL unloaded from 0x74C70000.
2019-10-08 11:48:27,533 [root] DEBUG: DLL loaded at 0x72C10000: C:\Windows\system32\ncrypt (0x38000 bytes).
2019-10-08 11:48:27,533 [root] DEBUG: DLL loaded at 0x72BF0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2019-10-08 11:48:27,549 [root] DEBUG: DLL loaded at 0x72BB0000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2019-10-08 11:48:27,565 [root] DEBUG: DLL loaded at 0x72B90000: C:\Windows\system32\GPAPI (0x16000 bytes).
2019-10-08 11:48:27,596 [root] DEBUG: DLL loaded at 0x72B70000: C:\Windows\system32\cryptnet (0x1c000 bytes).
2019-10-08 11:48:27,611 [root] DEBUG: DLL loaded at 0x72B10000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2019-10-08 11:48:27,611 [root] DEBUG: DLL loaded at 0x72AC0000: C:\Windows\system32\webio (0x4f000 bytes).
2019-10-08 11:48:27,611 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-08 11:48:27,611 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-08 11:48:27,611 [root] DEBUG: DLL unloaded from 0x72B10000.
2019-10-08 11:48:27,611 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-08 11:48:27,611 [root] DEBUG: DLL unloaded from 0x72B10000.
2019-10-08 11:48:27,831 [root] DEBUG: DLL unloaded from 0x72B70000.
2019-10-08 11:48:27,845 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-08 11:48:27,845 [root] DEBUG: DLL unloaded from 0x72B10000.
2019-10-08 11:48:27,845 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-08 11:48:27,845 [root] DEBUG: DLL unloaded from 0x72B10000.
2019-10-08 11:48:27,940 [root] DEBUG: DLL unloaded from 0x72B70000.
2019-10-08 11:48:28,002 [root] DEBUG: DLL loaded at 0x72AA0000: C:\Windows\system32\Cabinet (0x15000 bytes).
2019-10-08 11:48:28,017 [root] DEBUG: DLL loaded at 0x72A90000: C:\Windows\system32\DEVRTL (0xe000 bytes).
2019-10-08 11:48:28,017 [root] DEBUG: DLL unloaded from 0x75A70000.
2019-10-08 11:48:29,032 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-08 11:48:29,157 [root] DEBUG: DLL loaded at 0x724D0000: C:\Windows\SysWOW64\mshtml (0x5b7000 bytes).
2019-10-08 11:48:29,203 [root] DEBUG: DLL loaded at 0x724A0000: C:\Windows\SysWOW64\msls31 (0x2a000 bytes).
2019-10-08 11:48:29,359 [root] DEBUG: DLL loaded at 0x72490000: C:\Windows\system32\msimtf (0xb000 bytes).
2019-10-08 11:48:29,437 [root] DEBUG: DLL loaded at 0x723D0000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-10-08 11:48:29,453 [root] DEBUG: DLL loaded at 0x723A0000: C:\Windows\SysWOW64\iepeers (0x30000 bytes).
2019-10-08 11:48:29,483 [root] DEBUG: DLL loaded at 0x72340000: C:\Windows\SysWOW64\WINSPOOL.DRV (0x51000 bytes).
2019-10-08 11:48:29,500 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-08 11:48:30,140 [modules.auxiliary.human] INFO: Found button "&Yes", clicking it
2019-10-08 11:48:31,325 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-08 11:48:31,621 [root] DEBUG: DLL unloaded from 0x75A70000.
2019-10-08 11:48:31,948 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-08 11:48:34,023 [root] DEBUG: DLL loaded at 0x72200000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-10-08 11:48:36,411 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-08 11:48:36,411 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-08 11:48:36,411 [root] DEBUG: DLL unloaded from 0x72F70000.
2019-10-08 11:48:36,489 [root] DEBUG: DLL unloaded from 0x000007FEFB9C0000.
2019-10-08 11:48:37,221 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:48:41,325 [root] DEBUG: DLL unloaded from 0x724D0000.
2019-10-08 11:48:41,963 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:48:53,805 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-08 11:48:55,131 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-08 11:48:57,861 [root] DEBUG: DLL unloaded from 0x72B70000.
2019-10-08 11:48:57,861 [root] DEBUG: DLL unloaded from 0x75790000.
2019-10-08 11:49:24,349 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-08 11:49:26,158 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-08 11:49:27,844 [root] DEBUG: DLL unloaded from 0x72B10000.
2019-10-08 11:50:40,664 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-08 11:50:40,696 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-08 11:50:53,161 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-08 11:51:44,516 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-08 11:51:44,516 [root] INFO: Created shutdown mutex.
2019-10-08 11:51:45,529 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2112
2019-10-08 11:51:45,529 [root] INFO: Terminate event set for process 2112.
2019-10-08 11:51:45,529 [root] INFO: Terminating process 2112 before shutdown.
2019-10-08 11:51:45,529 [root] INFO: Waiting for process 2112 to exit.
2019-10-08 11:51:45,529 [root] DEBUG: Terminate Event: Attempting to dump process 2112
2019-10-08 11:51:45,529 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00E10000.
2019-10-08 11:51:45,529 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00E10000.
2019-10-08 11:51:45,529 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001C9A.
2019-10-08 11:51:45,561 [root] INFO: Added new CAPE file to list with path: C:\WsOTxHK\CAPE\2112_64771616545511082102019
2019-10-08 11:51:45,561 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa1e00.
2019-10-08 11:51:45,561 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DF9EDF9C956D03A48D.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DF9EDF9C956D03A48D.TMP'
2019-10-08 11:51:45,561 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DF02045F01FC8F8D86.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DF02045F01FC8F8D86.TMP'
2019-10-08 11:51:45,576 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2112
2019-10-08 11:51:46,543 [root] INFO: Terminating process 2308 before shutdown.
2019-10-08 11:51:46,543 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-08 11:51:46,543 [root] INFO: Terminate event set for process 1632.
2019-10-08 11:51:46,543 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2019-10-08 11:51:46,543 [root] INFO: Terminating process 1632 before shutdown.
2019-10-08 11:51:46,543 [root] INFO: Waiting for process 1632 to exit.
2019-10-08 11:51:46,543 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2019-10-08 11:51:46,543 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2019-10-08 11:51:46,543 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-08 11:51:46,605 [root] INFO: Added new CAPE file to list with path: C:\WsOTxHK\CAPE\1632_17813729346511082102019
2019-10-08 11:51:46,605 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2bac00.
2019-10-08 11:51:46,605 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2019-10-08 11:51:47,548 [root] INFO: Shutting down package.
2019-10-08 11:51:47,548 [root] INFO: Stopping auxiliary modules.
2019-10-08 11:51:47,548 [root] INFO: Finishing auxiliary modules.
2019-10-08 11:51:47,548 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-08 11:51:47,548 [root] WARNING: File at path "C:\WsOTxHK\debugger" does not exist, skip.
2019-10-08 11:51:47,548 [root] WARNING: Monitor injection attempted but failed for process 1.
2019-10-08 11:51:47,548 [root] INFO: Analysis completed.

MalScore

5.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-08 10:48:20 2019-10-08 10:52:02

URL Details

URL
https://attractionsyborcity.icu/26d9b8005c8a55d55fd9d02d7e8e9504/index.html?ip=121.99.158.83&siteid=YjY0Mjg1MDg3MTI3NzA4MDczOTIjMTU3MDUyODQyN0A1MDYwQF8yNzVmMjExMTk3ZmEyYjlmNDgyMGQzMWY1YjA1NGZjNw&trackid=20191008095548859

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (3 unique times)
IP: 93.184.220.29:80 (Europe)
IP: 204.79.197.200:80 (United States)
IP: 104.28.19.108:443 (United States)
Dynamic (imported) function loading detected
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: propsys.dll/PSGetPropertyKeyFromName
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: IEUI.dll/FindStdColor
DynamicLoader: IEUI.dll/InvalidateGadget
DynamicLoader: IEUI.dll/SetGadgetParent
DynamicLoader: IEUI.dll/GetGadgetTicket
DynamicLoader: IEUI.dll/SetGadgetRect
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: IEUI.dll/PeekMessageExW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: msfeeds.dll/MsfeedsCreateInstance
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerW
DynamicLoader: WININET.dll/FindNextUrlCacheContainerW
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSIMG32.dll/GradientFill
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: IEUI.dll/WaitMessageEx
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToProxyStubCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToTLBPath
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/PSGetPropertyDescription
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: propsys.dll/PropVariantToString
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: USP10.dll/ScriptIsComplex
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSIMG32.dll/AlphaBlend
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: RPCRT4.dll/UuidCreateSequential
DynamicLoader: ole32.dll/StgOpenStorageEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/CharLowerW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CryptUnprotectData
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: IEUI.dll/FindGadgetFromPoint
DynamicLoader: IEUI.dll/DUserSendEvent
DynamicLoader: IEUI.dll/GetGadgetRect
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_SetRedirectRegistryForThread
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: RASAPI32.dll/RasEnumEntriesW
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: SHLWAPI.dll/PathCanonicalizeW
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: NLAapi.dll/NSPStartup
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: urlmon.dll/CreateURLMonikerEx
DynamicLoader: urlmon.dll/CreateAsyncBindCtxEx
DynamicLoader: urlmon.dll/RegisterBindStatusCallback
DynamicLoader: urlmon.dll/CreateFormatEnumerator
DynamicLoader: urlmon.dll/UrlMkGetSessionOption
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: MLANG.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: urlmon.dll/CreateIUriBuilder
DynamicLoader: urlmon.dll/IntlPercentEncodeNormalize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
DynamicLoader: UxTheme.dll/BeginBufferedAnimation
DynamicLoader: UxTheme.dll/DrawThemeParentBackground
DynamicLoader: UxTheme.dll/EndBufferedAnimation
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: CRYPTSP.dll/SystemFunction035
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: CRYPT32.dll/CertDuplicateStore
DynamicLoader: CRYPT32.dll/CertControlStore
DynamicLoader: CRYPT32.dll/CertCloseStore
DynamicLoader: Secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: wintrust.dll/HTTPSCertificateTrust
DynamicLoader: wintrust.dll/HTTPSFinalProv
DynamicLoader: wintrust.dll/SoftpubInitialize
DynamicLoader: wintrust.dll/SoftpubLoadMessage
DynamicLoader: wintrust.dll/SoftpubLoadSignature
DynamicLoader: wintrust.dll/SoftpubCheckCert
DynamicLoader: wintrust.dll/SoftpubCleanup
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: iphlpapi.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: iphlpapi.DLL/GetIfEntry2
DynamicLoader: iphlpapi.DLL/GetIpForwardTable2
DynamicLoader: iphlpapi.DLL/GetIpNetEntry2
DynamicLoader: iphlpapi.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: ws2_32.DLL/GetAddrInfoW
DynamicLoader: ws2_32.DLL/WSASocketW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSAIoctl
DynamicLoader: ws2_32.DLL/FreeAddrInfoW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSARecv
DynamicLoader: ws2_32.DLL/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChain
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: urlmon.dll/CoInternetQueryInfo
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IEFRAME.dll/
DynamicLoader: urlmon.dll/RegisterFormatEnumerator
DynamicLoader: urlmon.dll/RevokeBindStatusCallback
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabled
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: urlmon.dll/
DynamicLoader: WININET.dll/InternetGetSecurityInfoByURLW
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPT32.dll/CryptDecodeObject
DynamicLoader: CRYPT32.dll/CryptDecodeObject
DynamicLoader: CRYPT32.dll/CertGetNameStringW
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WININET.dll/InternetErrorDlg
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: IMM32.DLL/ImmGetCompositionWindow
DynamicLoader: IMM32.DLL/ImmGetCandidateWindow
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WININET.dll/InternetGetConnectedState
DynamicLoader: urlmon.dll/
DynamicLoader: DWMAPI.DLL/DwmInvalidateIconicBitmaps
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/URLDownloadToCacheFileW
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ws2_32.DLL/
DynamicLoader: comctl32.dll/
Performs HTTP requests potentially not found in PCAP.
url: attractionsyborcity.icu:443//26d9b8005c8a55d55fd9d02d7e8e9504/index.html?ip=121.99.158.83&siteid=YjY0Mjg1MDg3MTI3NzA4MDczOTIjMTU3MDUyODQyN0A1MDYwQF8yNzVmMjExMTk3ZmEyYjlmNDgyMGQzMWY1YjA1NGZjNw&trackid=20191008095548859
Sniffs keystrokes
SetWindowsHookExW: Process: explorer.exe(1632)

Screenshots


Hosts

Direct IP Country Name
N 93.184.220.29 [VT] Europe
N 80.239.247.44 [VT] Switzerland
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States
N 104.28.19.108 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
attractionsyborcity.icu [VT] A 104.28.18.108 [VT]
A 104.28.19.108 [VT]
ocsp.digicert.com [VT] A 93.184.220.29 [VT]
CNAME cs9.wac.phicdn.net [VT]
crl.microsoft.com [VT] A 80.239.247.53 [VT]
A 80.239.247.44 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

Summary

Process Tree

  • iexplore.exe 2112 "https://attractionsyborcity.icu/26d9b8005c8a55d55fd9d02d7e8e9504/index.html?ip=121.99.158.83&siteid=YjY0Mjg1MDg3MTI3NzA4MDczOTIjMTU3MDUyODQyN0A1MDYwQF8yNzVmMjExMTk3ZmEyYjlmNDgyMGQzMWY1YjA1NGZjNw&trac ...(truncated)
  • explorer.exe 1632

iexplore.exe, PID: 2112, Parent PID: 2480
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https://attractionsyborcity.icu/26d9b8005c8a55d55fd9d02d7e8e9504/index.html?ip=121.99.158.83&siteid=YjY0Mjg1MDg3MTI3NzA4MDczOTIjMTU3MDUyODQyN0A1MDYwQF8yNzVmMjExMTk3ZmEyYjlmNDgyMGQzMWY1YjA1NGZjNw&trackid=20191008095548859"
iexplore.exe, PID: 2308, Parent PID: 2112
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2112 CREDAT:79873
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
N 93.184.220.29 [VT] Europe
N 80.239.247.44 [VT] Switzerland
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States
N 104.28.19.108 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49170 104.28.19.108 attractionsyborcity.icu 443
192.168.35.21 49182 104.28.19.108 attractionsyborcity.icu 443
192.168.35.21 49167 204.79.197.200 www.bing.com 80
192.168.35.21 49185 80.239.247.44 crl.microsoft.com 80
192.168.35.21 49171 93.184.220.29 ocsp.digicert.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
attractionsyborcity.icu [VT] A 104.28.18.108 [VT]
A 104.28.19.108 [VT]
ocsp.digicert.com [VT] A 93.184.220.29 [VT]
CNAME cs9.wac.phicdn.net [VT]
crl.microsoft.com [VT] A 80.239.247.53 [VT]
A 80.239.247.44 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

HTTP Requests

URI Data
http://www.bing.com/favicon.ico
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.bing.com
Connection: Keep-Alive

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAi60nK6K0l2q1gE0KPDqqw%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAi60nK6K0l2q1gE0KPDqqw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://crl.microsoft.com/pki/crl/products/WinPCA.crl
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT
If-None-Match: "0cb60772f2dd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.21 49170 104.28.19.108 attractionsyborcity.icu 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49182 104.28.19.108 attractionsyborcity.icu 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
File name search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
File Size 237 bytes
File Type PNG image data, 16 x 16, 4-bit colormap, non-interlaced
MD5 9fb559a691078558e77d6848202f6541
SHA1 ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
SHA256 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
CRC32 FC87942A
Ssdeep 6:6v/lhPIF6R/C+u1fXNg1XQ3yslRtNO+cKvAElRApGCp:6v/7b/C1fm1ZslRTvAElR47
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1
File Size 1507 bytes
File Type data
MD5 78300fd9aad90138c54b9237df6f5dff
SHA1 f0dec34b4462cbc6f6cb6f8cf91ce1f397fc187d
SHA256 68a04a8ac399be26b9bbe3c083e11966e32a447f89bc654f5af9f4e7a444984b
CRC32 493C87D5
Ssdeep 24:C92KDsStE0nGDZKw/TVqtXtjDu6T997ZGm5sdkie784y02KDh6ruXfxdv1QnzTMZ:4DBJGDZmtja6xV0Ddkd784yUDwu3ukQa
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1
File Size 438 bytes
File Type data
MD5 417b92932a32f96fbe6e61388d152102
SHA1 da7e0eeb5d9749e2be8c93f52ce8d56b1ef1e870
SHA256 6bdd541fa994ed5930008215946258c329cde92f6218f1aad3d42fc242fb812a
CRC32 95E0A7B7
Ssdeep 6:kK3yZ77BfOAUMivhClroFluSaZH0lwKa2lWlAJ3yOsAqMMgSlH5Mlrq3GlglM:whmxMiv8sFluSEIM63xtSlHQlgM
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name C1B3CC7FF1466C71640A202F8258105B_56A4790D76DE2ED8A98C5912468158EB
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B3CC7FF1466C71640A202F8258105B_56A4790D76DE2ED8A98C5912468158EB
File Size 279 bytes
File Type data
MD5 b6f324119c2ba3273a446aa2d263f2bb
SHA1 49ad7a9b489201751814fcf442ff1ef89ac20ecf
SHA256 487feba180307900f231292fea3c5d50ba4a5911b36ceed7a5527d851b1be2f4
CRC32 661E6EB0
Ssdeep 6:J0kkTuhAFNUHWWX5o7soL+AuhAx1eUHG0KyDqPxLFndnWnCSHn:JTkqGNUHWG5Owy1eUHG0KZjnLqn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name C1B3CC7FF1466C71640A202F8258105B_56A4790D76DE2ED8A98C5912468158EB
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C1B3CC7FF1466C71640A202F8258105B_56A4790D76DE2ED8A98C5912468158EB
File Size 430 bytes
File Type data
MD5 7f645e6f861cb896e41b0c4f19f610d6
SHA1 00b259e58314fbea5dff23867c5cc9dbad67486c
SHA256 9e9eb7ef1d909d75987d4474f93afb4e55808788acb8053d9c4a50c107e7813f
CRC32 6BF190A3
Ssdeep 6:kKtktWqM0iXLNfOAUMivhClroFFUplAHv+eUsrsL2skqPlTlgs5vkrqIn4OO:J5mxMiv8sFFUrZeUsrAWqO74R
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 077eb5d924c84ec41447ad7795b38734
SHA1 e3b4793862bb370db5ddd3cb5e607034172336e1
SHA256 06813b4ee292b191c05cb15febfba874e7f4caac47a8c3081041a20880708209
CRC32 E2F624C0
Ssdeep 48:q3xbTpYVfruSYufruXYsfAjYmeKZ6MYCI:qZTuVfrutufruIsfAc26Lv
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name user@attractionsyborcity[1].txt
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@attractionsyborcity[1].txt
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name user@attractionsyborcity[1].txt
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@attractionsyborcity[1].txt
File Size 125 bytes
File Type ASCII text
MD5 9b40a07847ebd42cbb60be712c1e3a85
SHA1 8966660988851e0a2fb64baa14399fee4cab7ddf
SHA256 e78531ab20fa405cf575a3e6859bed407d90a4623cdc43fe9ef33f6453238be0
CRC32 F86BC2B1
Ssdeep 3:GmM/m1Gds5RBVvX7GNWlGM6LD/kcNvevSTXd5RSn:XM/hoXVDGEw/VN2KTXd5Qn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
__cfduid
def5f8f6297c88a8e7bdd7339f69540ea1570531722
attractionsyborcity.icu/
9728
1811996928
30842007
1572742000
30768625
*
File name index[1].htm
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\index[1].htm
File Size 42461 bytes
File Type HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5 1c754e09c0aa848d81d4195f9103681b
SHA1 aaf68eec0c4b563e33f4085d6e65098cda794cfe
SHA256 72dcfa4bb086dc1a5c1bd5c29cc0c96d6d6fb3f4de83955db263d87f9737af48
CRC32 2DB004BF
Ssdeep 768:6tX9pLhi/vvKRhzBXAQGQRQRQSSQXfXQboQwoQxpIQPhQScQUCQJPlQGbQLLQEcF:e9lM8hzyQNQRQvQvQsQ7QxCQ5QpQRQVl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xef\xbb\xbf
<html>
<head>
    <base href="">
    <script>
        function getURLParameter(name) {
            return decodeURIComponent(
                (RegExp(name + '=' + '(.+?)(&|$)').exec(location.search) || [, null])[1] || ''
            );
        }
    </script>


    <title>Vocus</title>
    <link rel="icon" type="image/x-icon" href="img/favicon.ico">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, maximum-scale=1.0, minimum-slace=1.0, initial-scale=1.0">
    <link href="css/css.css" rel="stylesheet" type="text/css">
    <link rel="stylesheet" type="text/css" href="css/style.css">
</head>
<body>
    <script>
        //alert("Dear Vocus Customer,\n\nYou have been selected to win :\n- Apple iPhone Xs \n- Samsung Galaxy S10 \n- Apple Watch\n\nAttention, number of gift are limited.\n\nPress OK to continue! \n\nIP : " + (getURLParameter('ip')) + "\n\nUser reference : 6241\n\n");
        navigator.vibrate = navigator.vibrate || navigator.webkitVibrate || navigator.mozVibrate || navigator.msVibrate;
        navigator.vibrate([1000, 500, 1000]);
    </script>

    <!--<audio autoplay="" preload="">
        <source src="default.ogg" type="audio/ogg">
        <source src="default.mp3" type="audio/mpeg">
        </source></source>
    </audio>-->
    <div id="header">
        <div id="header_wrapper">
            <svg xmlns="http://www.w3.org/2000/svg" data-name="Layer 1" width="130" height="42.43" id="ic_logo" y="115.4"><path d="M117.6 37.73c-.7 0-.8.9-.8 1.8s.2 1.8.8 1.8.8-.8.8-1.8-.1-1.8-.8-1.8zm-50.8 0c-.7 0-.8.9-.8 1.8s.2 1.8.8 1.8.8-.8.8-1.8-.1-1.8-.8-1.8zm38.8 2.9a.87.87 0 001 .9 1.27 1.27 0 00.6-.1v-2c-.9.1-1.6.4-1.6 1.2z" fill="none"></path><path d="M74.6 30.73a14.36 14.36 0 008.2-2.7l.2-.2v-5.3l-1 1a11 11 0 01-7.6 3.3 10.4 10.4 0 01-.1-20.8 11 11 0 017.7 3.3l1 1v-5.2l-.2-.1a13.24 13.24 0 00-8.2-2.7 14.3 14.3 0 00-14.3 14.3 13.7 13.7 0 004.3 10 13.9 13.9 0 0010 4.1zm33.4-10.9V2.73h-4.1v16.7c0 1.9 0 3.9-1.2 5.3a6.49 6.49 0 01-4.8 2.1 6.22 6.22 0 01-4.9-2.3c-1.1-1.4-1.1-3.4-1-5.2V2.73h-4v17.1c0 2.8.2 5.6 2.8 8a10.39 10.39 0 0014.7-.3c2.3-2.3 2.5-4.9 2.5-7.7zm22 2.2c0-4.6-3.3-6.5-6.7-7.9l-1.8-.8c-1.7-.8-3.8-1.7-3.8-3.6a3.62 3.62 0 013.8-3.5c1.8 0 3 .7 4.1 2.6l.3.5 3.3-2.1-.2-.5a8.12 8.12 0 00-7.3-4.4c-4.5 0-8 3.1-8 7.3s3 5.9 6.1 7.3l1.6.7.1.1c2.4 1.1 4.4 2 4.4 4.7a4.81 4.81 0 01-9.6.2l-.1-.6-4 1.1.1.5a8.81 8.81 0 008.8 7.3 9 9 0 008.9-8.9zm-118.5-.2L4.4 2.73H0l11.5 30.2 11.6-30.2h-4.4l-7.2 19.1zm31.7 7.5a1.92 1.92 0 00-1.5 2.4 2.13 2.13 0 002 1.6h.4a2.05 2.05 0 00-.9-4zm-5.8.1a1.904 1.904 0 10-.9 3.7c.1 0 .3.1.4.1a1.93 1.93 0 001.9-1.5 1.83 1.83 0 00-1.4-2.3zm11-2.7a2.2 2.2 0 00-.4 3 2.29 2.29 0 001.7.8 2.11 2.11 0 001.3-.5 2.1 2.1 0 10-2.6-3.3zm-18.8.4a1.76 1.76 0 00.3 2.5 1.5 1.5 0 001.1.4 1.79 1.79 0 10-1.4-2.9zm25.3-6a2.24 2.24 0 10-2 4 1.8 1.8 0 001 .2 2.3 2.3 0 002-1.3 2.05 2.05 0 00-1-2.9zm-28.8.3a1.74 1.74 0 00.7 3.3 1.85 1.85 0 00.7-.2 1.77 1.77 0 00.8-2.3 1.62 1.62 0 00-2.2-.8z" fill="#1a1f42"></path><circle cx="55.5" cy="16.63" r="2.4" fill="#1a1f42"></circle><path d="M25.4 18.03a1.6 1.6 0 10-1.6-1.6 1.64 1.64 0 001.6 1.6zm26.7-6.6a2.33 2.33 0 002.1 1.3 2.92 2.92 0 00.9-.2 2.26 2.26 0 00-1.9-4.1 2.31 2.31 0 00-1.1 3zm-24.3-3.1a1.722 1.722 0 00-1.5 3.1 1.88 1.88 0 00.8.2 1.65 1.65 0 001.5-.9 1.92 1.92 0 00-.8-2.4zm22.3-1a2.09 2.09 0 001.6-.8 2.09 2.09 0 00-.3-3 2.09 2.09 0 00-3 .3 2.09 2.09 0 00.3 3 2.39 2.39 0 001.4.5zm-19.9-4a1.76 1.76 0 00-.3 2.5 1.75 1.75 0 001.4.7 1.5 1.5 0 001.1-.4 1.76 1.76 0 00.3-2.5 1.68 1.68 0 00-2.5-.3zM44.6.13a2.062 2.062 0 10-1 4c.2 0 .3.1.5.1a2.13 2.13 0 002-1.5 2.12 2.12 0 00-1.5-2.6zM37 .03a2 2 0 00-1.5 2.3 1.93 1.93 0 001.9 1.5h.4a2 2 0 001.5-2.3A2 2 0 0037 .03zm61.8 34.5a.71.71 0 00-.8.7.81.81 0 001.6 0 .67.67 0 00-.8-.7zm14.9 0a.71.71 0 00-.8.7.77.77 0 00.8.7.71.71 0 00.8-.7.67.67 0 00-.8-.7zm-50.6 6.8c-.6 0-1-.6-1-1.8s.3-1.8 1-1.8a1.45 1.45 0 01.7.2l.3-.9a2 2 0 00-1.3-.4c-1.2 0-2.3 1-2.3 2.8s1 2.9 2.3 2.9a1.8 1.8 0 001.3-.4l-.3-1a.75.75 0 01-.7.4zm3.7-4.6c-1.6 0-2.4 1.2-2.4 2.8s.8 2.9 2.4 2.9 2.4-1.2 2.4-2.9-.8-2.8-2.4-2.8zm0 4.6c-.7 0-.8-.8-.8-1.8s.1-1.8.8-1.8.8.9.8 1.8-.1 1.8-.8 1.8zm8.9-4.6a3.22 3.22 0 00-1.8.5 2.28 2.28 0 00-1.7-.5 4.56 4.56 0 00-2.2.4v5.2h1.6v-4.5a1.27 1.27 0 01.6-.1.75.75 0 01.9.7v3.9h1.6v-4.3a.91.91 0 01.7-.3.67.67 0 01.8.7v3.9h1.6v-3.9a2 2 0 00-2.1-1.7zm8.6 0a3.22 3.22 0 00-1.8.5 2.28 2.28 0 00-1.7-.5 4.56 4.56 0 00-2.2.4v5.2h1.6v-4.5a1.27 1.27 0 01.6-.1.75.75 0 01.9.7v3.9h1.6v-4.3a.91.91 0 01.7-.3.67.67 0 01.8.7v3.9h1.6v-3.9a2 2 0 00-2.1-1.7zm5.8 4.5a1.48 1.48 0 01-.7.1.71.71 0 01-.8-.7v-3.8H87v3.7c0 1.3.8 1.9 2.3 1.9a6.34 6.34 0 002.3-.4v-5.2H90l.1 4.4zm4.7-4.5a6.34 6.34 0 00-2.3.4v5.2h1.6v-4.5a1.48 1.48 0 01.7-.1.73.73 0 01.8.8v3.8h1.6v-3.9c0-.9-.6-1.7-2.4-1.7zm3.2.1h1.6v5.5H98zm4.9 4.5c-.6 0-1-.6-1-1.8s.3-1.8 1-1.8a1.45 1.45 0 01.7.2l.3-.9a2 2 0 00-1.3-.4c-1.2 0-2.3 1-2.3 2.8s1 2.9 2.3 2.9a1.8 1.8 0 001.3-.4l-.3-1a.75.75 0 01-.7.4zm3.7-4.6a7 7 0 00-2.1.4l.3.9a3.19 3.19 0 011.4-.3c.6 0 1 .2 1 .7v.3c-1.7.2-3.1.6-3.1 2 0 1.1.8 1.7 2.4 1.7a6.17 6.17 0 002.2-.4v-3.3a1.82 1.82 0 00-2.1-2zm.6 4.7a.92.92 0 01-.6.1.87.87 0 01-1-.9c0-.9.6-1.1 1.6-1.2v2zm4.3-6.2l-1.6.4v1.2h-.6v1h.6v3a1.55 1.55 0 001.7 1.6 1.29 1.29 0 00.8-.2v-1c-.1 0-.2.1-.3.1-.4 0-.5-.2-.5-.6v-2.8h.8v-1h-.8l-.1-1.7zm1.4 1.6h1.6v5.5h-1.6zm4.7-.1c-1.6 0-2.4 1.2-2.4 2.8s.8 2.9 2.4 2.9 2.4-1.2 2.4-2.9-.8-2.8-2.4-2.8zm0 4.6c-.7 0-.8-.8-.8-1.8s.1-1.8.8-1.8.8.9.8 1.8-.1 1.8-.8 1.8zm5.4-4.6a6.34 6.34 0 00-2.3.4v5.2h1.6v-4.5a1.48 1.48 0 01.7-.1.73.73 0 01.8.8v3.8h1.6v-3.9c-.1-.9-.7-1.7-2.4-1.7zm5.3 2.4a1 1 0 01-.7-.8.58.58 0 01.6-.6 1.21 1.21 0 01.8.3l.4-.9a2.54 2.54 0 00-1.6-.4 1.71 1.71 0 00-1.8 1.7 1.49 1.49 0 001.2 1.5.83.83 0 01.7.8.67.67 0 01-.7.6 2.37 2.37 0 01-1-.3l-.4 1a3.1 3.1 0 001.6.4 1.87 1.87 0 002.1-1.7c.1-.7-.2-1.2-1.2-1.6z" fill="#1a1f42"></path></svg>
        </div>
    </div>
    <div id="wrapper">
        <div id="copy">
            <h1>Dear Vocus Customer, Congratulations!</h1>
            <p>
                Vocus is holding an anniversary celebration for next<b>
                    7 days
                    <script>
                        function fun_date(addDays) {
                            var monthNames = new Array("January", "February", "March", "April", "May", "June", "July", "August", "September", "October", "November", "December");
                            var date1 = new Date();
                            var time1 = date1.getFullYear() + "-" + (date1.getMonth() + 1) + "-" + date1.getDate();
                            var date2 = new Date(date1);
                            date2.setDate(date1.getDate() + addDays);
                            time2 = monthNames[date2.getMonth()] + "." + date2.getDate();
                            return time2;
                        }
                        document.write('(' + fun_date(0) + ' -> ' + fun_date(7) + ')')

                    </script>
                </b> to thank your loyalty for using us as Internet Provider.
            </p>
            <p>
                We will select 10 lucky users everyday to win an exclusive gift from us, including  <b>free Apple iPhone Xs, Samsung Galaxy S10, Apple Watch</b> for choosing us. And Your IP address
                <b>
                    <script>document.write(getURLParameter('ip'))</script>
                </b>
                has been selected.
            </p>
            <p>
                You have to simply answer our anonymous survey below to win your prize. Hurry up!  8 users have received this invitation and there are only 2 prizes to win.
            </p>
        </div>
        <!-- <div id="timer_bar" style="display: none;">Vous n\xe2\x80\x99avez que <b><span id="minutes">4</span> minutes et <span id="seconds">59</span> secondes</b> pour r\xc3\xa9pondre aux 3 questions suivantes avant que les prix ne soient donn\xc3\xa9s \xc3\xa0 un autre visiteur chanceux! Bonne chance!</div> -->
        <div class="survey">
            <div class="question q-1" style="display: block;">
                <p>Are you satisfied with Vocus?</p>
                <div class="answers">
                    <div class="firs <truncated>
File name Web Slice Gallery~.feed-ms
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
File Size 28672 bytes
File Type Composite Document File V2 Document, No summary info
MD5 d4cc7ce677b6ab7b521a1659aed301c8
SHA1 e1f036a56474983c11b5369dc6d46f158b0d4e0e
SHA256 3e23031a2b91f47683115473ce73964a196b68405153b815af14f7bde5032586
CRC32 E843F4D5
Ssdeep 12:Jw77mFQCb777777777777777777777777777777/FJl8vbf+8Gc7777777777777:Jsbf+8/2As4WYiit
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name {25A5D01B-E9B9-11E9-8662-000C2940B9FB}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{25A5D01B-E9B9-11E9-8662-000C2940B9FB}.dat
File Size 5120 bytes
File Type Composite Document File V2 Document, No summary info
MD5 433e39ff110fe56da0be3dc771b6213f
SHA1 569376ca7d8d826d1891b0b6b1fe224b4f24f21e
SHA256 a87ef31a7943b407090515f4e444d67ba9611442c925a739cabb1dfccf3802d8
CRC32 FA5E102E
Ssdeep 24:raGxG1Nlj1tz1YFtWqLWkU0clFNlX1tPsbiFHDbCyQ/Nb:raGxGNH5gtWqyk2PHPtFHiyQ/Nb
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name RecoveryStore.{25A5D01A-E9B9-11E9-8662-000C2940B9FB}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{25A5D01A-E9B9-11E9-8662-000C2940B9FB}.dat
File Size 3584 bytes
File Type Composite Document File V2 Document, No summary info
MD5 7a630933df9e8b12c6f0fb74846136a7
SHA1 53f50b5a9b1f092ca619054b99ada4df6aca0745
SHA256 ba1e5b3d78c7bb77438516d4c58f61dbd08280080643b476ea922b1e327541fa
CRC32 AEB3CD2B
Ssdeep 12:rl0YmGF2B4rEg5+IaCrI017+F3DrEgmf+IaCy8qgQNlTq1tvjvAAlt/Llt:rIS5/wGv/TQNlW1tvz7/7
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 4d5e9581edbc79e5a6db9fba33fb9e0b
SHA1 30cc792bbc1b563003191268969cc4b7f0dc764b
SHA256 74df2d805195dfa6ea5278e1a2ec2944547c7d3173f29f989ec29873b9128986
CRC32 680D9F3E
Ssdeep 12:qj5Gtl8ET3fY15221wv841Qqcbe3I8dp221w+I8NMoeaNfJE1QqcbSM:qj5Cl8D15nc8CHVdpnFTNMopNfJWH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 6eb99cdea1938a54e7d8ce671b720a9d
SHA1 b9c4d371d871240f5c05a25f0d530a89f7a34e8e
SHA256 eb872ef7e18ec5051308f3af585aea03864d4bad3cf78dfb1d0251ad7d0cff60
CRC32 63EC9734
Ssdeep 48:q+PPf/ZJLHrPaIZxqT/mf7RCpwV+4igHDt/UwbmXhBgkBVGWYCIh:q+PH/ZpLdq0lV9Nbojbm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File Size 65536 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 19686bab83c93889715dc4898d1662dd
SHA1 59fa9e82986af392e026ce395bef0f3b58f79410
SHA256 44af149eb0ffba1c61113cddfe3948c8e33c7391cec66909c3b709cad0f671ce
CRC32 DB1F178D
Ssdeep 384:lWfpSjxBNPrNa73dg3skdVQnQeW+4fTJ16ziXrAsjCCtn/NJ03:ipSBNaCdBr/CSl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name iexplore.exe
PID 2112
Dump Size 663040 bytes
Module Path C:\Program Files (x86)\Internet Explorer\iexplore.exe
Type PE imageexecutable
MD5 f77fef5ce67bba49b312b084f03d5605
SHA1 77517577da2b4ada057d750a1050c6d746e0ab32
SHA256 559ddabf70515c1a0a64bed30cb1fbe519cce2b8978c141ad4610620d39c9723
CRC32 36C37282
Ssdeep 12288:6FPX+pd167QhE0s7+jM+M6ugRfMMkIM7ovX+pd167QhE0u7+:eE6Ehg7mM+M6RkMkIM7gE6Eh67
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 559ddabf70515c1a0a64bed30cb1fbe519cce2b8978c141ad4610620d39c9723
Download
Process Name explorer.exe
PID 1632
Dump Size 2862080 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 f586a68f04290b36b948b6f413a39e85
SHA1 0e59d200208195624f1d5e7aa7d96f5eed7fc0fe
SHA256 d44e73c483072fa8a5d870fd6e3366bfd71b78eae29456fec413e01c69e9aef3
CRC32 9FAB8C4F
Ssdeep 49152:gxrceI/lIRYraisQhFCUuxvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:6rcPlIWYvYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename d44e73c483072fa8a5d870fd6e3366bfd71b78eae29456fec413e01c69e9aef3
Download

Comments



No comments posted

Processing ( 14.237 seconds )

  • 10.018 Static
  • 2.016 ProcDump
  • 1.673 BehaviorAnalysis
  • 0.254 Dropped
  • 0.24 Deduplicate
  • 0.03 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.317 seconds )

  • 0.611 antidbg_windows
  • 0.107 antiav_detectreg
  • 0.087 stealth_timeout
  • 0.057 api_spamming
  • 0.039 infostealer_ftp
  • 0.032 antivm_vbox_window
  • 0.025 antisandbox_script_timer
  • 0.024 antivm_generic_scsi
  • 0.022 antianalysis_detectreg
  • 0.022 infostealer_im
  • 0.014 mimics_filetime
  • 0.014 infostealer_mail
  • 0.012 antivm_generic_services
  • 0.012 antivm_generic_disk
  • 0.011 Doppelganging
  • 0.011 recon_programs
  • 0.01 antivm_vbox_keys
  • 0.01 ransomware_files
  • 0.009 bootkit
  • 0.009 virus
  • 0.008 antiav_detectfile
  • 0.007 antivm_vmware_keys
  • 0.005 uac_bypass_eventvwr
  • 0.005 injection_createremotethread
  • 0.005 betabot_behavior
  • 0.005 InjectionCreateRemoteThread
  • 0.005 kibex_behavior
  • 0.005 dynamic_function_loading
  • 0.005 hancitor_behavior
  • 0.005 antivm_parallels_keys
  • 0.005 antivm_xen_keys
  • 0.005 darkcomet_regkeys
  • 0.005 infostealer_bitcoin
  • 0.005 recon_fingerprint
  • 0.004 malicious_dynamic_function_loading
  • 0.004 antiemu_wine_func
  • 0.004 InjectionProcessHollowing
  • 0.004 infostealer_browser_password
  • 0.004 persistence_autorun
  • 0.004 injection_runpe
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_extensions
  • 0.003 antivm_vbox_libs
  • 0.003 InjectionInterProcess
  • 0.003 exploit_getbasekerneladdress
  • 0.003 kovter_behavior
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_vbox_files
  • 0.003 antivm_vpc_keys
  • 0.002 exploit_heapspray
  • 0.002 stack_pivot
  • 0.002 dridex_behavior
  • 0.002 exploit_gethaldispatchtable
  • 0.002 InjectionSetWindowLong
  • 0.002 vawtrak_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 browser_security
  • 0.002 disables_browser_warn
  • 0.001 tinba_behavior
  • 0.001 andromeda_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 sets_autoconfig_url
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 infostealer_browser
  • 0.001 stealth_network
  • 0.001 modifies_desktop_wallpaper
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 ipc_namedpipe
  • 0.001 EvilGrab
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 neshta_files
  • 0.001 cerber_behavior
  • 0.001 antiav_bitdefender_libs
  • 0.001 antidbg_devices
  • 0.001 antivm_xen_keys
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 bypass_firewall
  • 0.001 ie_martian_children
  • 0.001 network_torgateway
  • 0.001 packer_armadillo_regkey
  • 0.001 remcos_regkeys

Reporting ( 0.017 seconds )

  • 0.017 CompressResults
Task ID 94113
Mongo ID 5d9c6a6c1f2c13bbdd6ff0c5
Cuckoo release 1.3-CAPE
Delete