Analysis

Category Package Started Completed Duration Options Log
URL ie 2019-10-09 19:18:20 2019-10-09 19:22:06 226 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-09 20:18:21,000 [root] INFO: Date set to: 10-09-19, time set to: 19:18:21, timeout set to: 200
2019-10-09 20:18:21,030 [root] DEBUG: Starting analyzer from: C:\erylqxbx
2019-10-09 20:18:21,030 [root] DEBUG: Storing results at: C:\QNgLemTzGV
2019-10-09 20:18:21,030 [root] DEBUG: Pipe server name: \\.\PIPE\slRjbbWeBg
2019-10-09 20:18:21,030 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 20:18:21,030 [root] INFO: Automatically selected analysis package "ie"
2019-10-09 20:18:21,950 [root] DEBUG: Started auxiliary module Browser
2019-10-09 20:18:21,950 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 20:18:21,950 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2019-10-09 20:18:21,950 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 20:18:21,950 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 20:18:21,950 [root] DEBUG: Started auxiliary module Human
2019-10-09 20:18:21,950 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 20:18:21,967 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 20:18:21,967 [root] DEBUG: Started auxiliary module Usage
2019-10-09 20:18:21,967 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2019-10-09 20:18:21,967 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2019-10-09 20:18:22,045 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""www.suste0n.com/energy/transition/ovmaxz/kinolt"" with pid 1988
2019-10-09 20:18:22,045 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 20:18:22,045 [lib.api.process] INFO: 32-bit DLL to inject is C:\erylqxbx\dll\YlJrIEzG.dll, loader C:\erylqxbx\bin\YlIhWsm.exe
2019-10-09 20:18:22,279 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\slRjbbWeBg.
2019-10-09 20:18:22,279 [root] DEBUG: Loader: Injecting process 1988 (thread 2792) with C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:22,279 [root] DEBUG: Process image base: 0x01330000
2019-10-09 20:18:22,293 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:22,293 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x013D6000 - 0x77380000
2019-10-09 20:18:22,293 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x013E0000.
2019-10-09 20:18:22,293 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 20:18:22,293 [root] DEBUG: Successfully injected DLL C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:22,293 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-10-09 20:18:24,306 [lib.api.process] INFO: Successfully resumed process with pid 1988
2019-10-09 20:18:24,306 [root] INFO: Added new process to list with pid: 1988
2019-10-09 20:18:24,384 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 20:18:24,384 [root] DEBUG: Process dumps enabled.
2019-10-09 20:18:24,431 [root] INFO: Disabling sleep skipping.
2019-10-09 20:18:24,431 [root] INFO: Disabling sleep skipping.
2019-10-09 20:18:24,431 [root] INFO: Disabling sleep skipping.
2019-10-09 20:18:24,431 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 20:18:24,431 [root] INFO: Disabling sleep skipping.
2019-10-09 20:18:24,431 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1988 at 0x747a0000, image base 0x1330000, stack from 0x1c2000-0x1d0000
2019-10-09 20:18:24,431 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "www.suste0n.com\energy\transition\ovmaxz\kinolt".
2019-10-09 20:18:24,431 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-10-09 20:18:24,463 [root] DEBUG: DLL unloaded from 0x76940000.
2019-10-09 20:18:24,493 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 20:18:24,525 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 20:18:24,525 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 20:18:24,555 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 20:18:24,572 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 20:18:24,572 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 20:18:24,588 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 20:18:24,588 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 20:18:24,588 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 20:18:24,588 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 20:18:24,602 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 20:18:24,602 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\System32\nlaapi (0x10000 bytes).
2019-10-09 20:18:24,618 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 20:18:24,618 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 20:18:24,618 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 20:18:24,618 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-10-09 20:18:24,618 [root] DEBUG: DLL loaded at 0x768C0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 20:18:24,680 [root] DEBUG: DLL loaded at 0x745C0000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 20:18:24,697 [root] DEBUG: DLL unloaded from 0x75760000.
2019-10-09 20:18:24,697 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-09 20:18:24,697 [root] DEBUG: DLL unloaded from 0x745C0000.
2019-10-09 20:18:24,697 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 20:18:24,697 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 20:18:24,697 [root] DEBUG: DLL unloaded from 0x77560000.
2019-10-09 20:18:24,711 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 20:18:24,822 [root] DEBUG: DLL unloaded from 0x75530000.
2019-10-09 20:18:24,822 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 20:18:24,836 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1408
2019-10-09 20:18:24,836 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 20:18:24,852 [lib.api.process] INFO: 32-bit DLL to inject is C:\erylqxbx\dll\YlJrIEzG.dll, loader C:\erylqxbx\bin\YlIhWsm.exe
2019-10-09 20:18:24,852 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\slRjbbWeBg.
2019-10-09 20:18:24,852 [root] DEBUG: Loader: Injecting process 1408 (thread 608) with C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:24,852 [root] DEBUG: Process image base: 0x01330000
2019-10-09 20:18:24,852 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:24,852 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x013D6000 - 0x77380000
2019-10-09 20:18:24,852 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x013E0000.
2019-10-09 20:18:24,852 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 20:18:24,852 [root] DEBUG: Successfully injected DLL C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:24,852 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1408
2019-10-09 20:18:24,852 [root] DEBUG: DLL unloaded from 0x01330000.
2019-10-09 20:18:24,852 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1408
2019-10-09 20:18:24,852 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 20:18:24,852 [lib.api.process] INFO: 32-bit DLL to inject is C:\erylqxbx\dll\YlJrIEzG.dll, loader C:\erylqxbx\bin\YlIhWsm.exe
2019-10-09 20:18:24,852 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\slRjbbWeBg.
2019-10-09 20:18:24,852 [root] DEBUG: Loader: Injecting process 1408 (thread 608) with C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:24,852 [root] DEBUG: Process image base: 0x01330000
2019-10-09 20:18:24,852 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:24,852 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-09 20:18:24,852 [root] DEBUG: Successfully injected DLL C:\erylqxbx\dll\YlJrIEzG.dll.
2019-10-09 20:18:24,852 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1408
2019-10-09 20:18:24,852 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 20:18:24,868 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 20:18:24,868 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-10-09 20:18:24,868 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 20:18:24,868 [root] DEBUG: Process dumps enabled.
2019-10-09 20:18:24,868 [root] INFO: Disabling sleep skipping.
2019-10-09 20:18:24,868 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 20:18:24,868 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1408 at 0x747a0000, image base 0x1330000, stack from 0x2a2000-0x2b0000
2019-10-09 20:18:24,868 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1988 CREDAT:79873.
2019-10-09 20:18:24,868 [root] INFO: Added new process to list with pid: 1408
2019-10-09 20:18:24,868 [root] INFO: Monitor successfully loaded in process with pid 1408.
2019-10-09 20:18:24,868 [root] DEBUG: DLL unloaded from 0x76940000.
2019-10-09 20:18:24,884 [root] DEBUG: DLL loaded at 0x731E0000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2019-10-09 20:18:24,884 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-09 20:18:24,884 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 20:18:24,884 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 20:18:24,884 [root] DEBUG: DLL unloaded from 0x74AF0000.
2019-10-09 20:18:24,884 [root] DEBUG: DLL loaded at 0x768C0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2019-10-09 20:18:24,884 [root] DEBUG: DLL unloaded from 0x74580000.
2019-10-09 20:18:24,900 [root] DEBUG: DLL unloaded from 0x75370000.
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74540000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 20:18:24,900 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 20:18:24,914 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 20:18:24,914 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 20:18:24,930 [root] DEBUG: DLL loaded at 0x74490000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2019-10-09 20:18:24,930 [root] DEBUG: DLL unloaded from 0x75760000.
2019-10-09 20:18:24,930 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-09 20:18:24,930 [root] DEBUG: DLL unloaded from 0x74490000.
2019-10-09 20:18:24,930 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1708
2019-10-09 20:18:24,930 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 20:18:24,930 [lib.api.process] INFO: 64-bit DLL to inject is C:\erylqxbx\dll\SFatcA.dll, loader C:\erylqxbx\bin\wnZfGBnB.exe
2019-10-09 20:18:24,930 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\slRjbbWeBg.
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: Loader: Injecting process 1708 (thread 0) with C:\erylqxbx\dll\SFatcA.dll.
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1712, handle 0x84
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: Process image base: 0x00000000FFA80000
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: DLL unloaded from 0x74B30000.
2019-10-09 20:18:24,946 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-09 20:18:24,946 [root] DEBUG: DLL unloaded from 0x74450000.
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-09 20:18:24,946 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 20:18:24,946 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 20:18:24,946 [root] DEBUG: Process dumps enabled.
2019-10-09 20:18:24,946 [root] INFO: Disabling sleep skipping.
2019-10-09 20:18:24,946 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-10-09 20:18:24,977 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 20:18:24,977 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 20:18:24,993 [root] WARNING: Unable to place hook on LockResource
2019-10-09 20:18:24,993 [root] WARNING: Unable to hook LockResource
2019-10-09 20:18:24,993 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 20:18:25,039 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1708 at 0x0000000074260000, image base 0x00000000FFA80000, stack from 0x0000000005FA2000-0x0000000005FB0000
2019-10-09 20:18:25,039 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-09 20:18:25,039 [root] INFO: Added new process to list with pid: 1708
2019-10-09 20:18:25,039 [root] INFO: Monitor successfully loaded in process with pid 1708.
2019-10-09 20:18:25,039 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-09 20:18:25,039 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-09 20:18:25,039 [root] DEBUG: Successfully injected DLL C:\erylqxbx\dll\SFatcA.dll.
2019-10-09 20:18:25,071 [root] DEBUG: DLL loaded at 0x74230000: C:\Windows\system32\IEUI (0x2d000 bytes).
2019-10-09 20:18:25,071 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-09 20:18:25,101 [root] DEBUG: DLL loaded at 0x741F0000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 20:18:25,118 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-09 20:18:25,134 [root] DEBUG: DLL unloaded from 0x74340000.
2019-10-09 20:18:25,148 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-09 20:18:25,164 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 20:18:25,321 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-09 20:18:25,321 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 20:18:25,321 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 20:18:25,321 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-10-09 20:18:25,335 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\xmllite (0x2f000 bytes).
2019-10-09 20:18:25,446 [root] DEBUG: DLL loaded at 0x73FC0000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2019-10-09 20:18:25,476 [root] DEBUG: DLL loaded at 0x73F90000: C:\Windows\system32\DUser (0x2f000 bytes).
2019-10-09 20:18:25,492 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2019-10-09 20:18:25,664 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 20:18:25,664 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 20:18:25,664 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 20:18:25,664 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 20:18:25,680 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 20:18:25,680 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 20:18:25,680 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 20:18:25,680 [root] DEBUG: DLL loaded at 0x741F0000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2019-10-09 20:18:25,694 [root] DEBUG: DLL loaded at 0x73E30000: C:\Windows\system32\msfeeds (0x96000 bytes).
2019-10-09 20:18:25,742 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-09 20:18:25,742 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 20:18:25,742 [root] DEBUG: DLL unloaded from 0x75530000.
2019-10-09 20:18:25,773 [root] DEBUG: DLL loaded at 0x73E00000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x75520000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x74580000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL unloaded from 0x745A0000.
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL unloaded from 0x75370000.
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL unloaded from 0x74580000.
2019-10-09 20:18:25,789 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 20:18:25,789 [root] DEBUG: DLL loaded at 0x75520000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 20:18:25,803 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 20:18:25,819 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 20:18:25,819 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 20:18:25,819 [root] DEBUG: DLL loaded at 0x73E00000: C:\Windows\system32\MLANG (0x2e000 bytes).
2019-10-09 20:18:25,819 [root] DEBUG: DLL unloaded from 0x74B30000.
2019-10-09 20:18:25,819 [root] DEBUG: DLL unloaded from 0x74450000.
2019-10-09 20:18:25,835 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-09 20:18:25,851 [root] DEBUG: DLL loaded at 0x73DE0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2019-10-09 20:18:25,851 [root] DEBUG: DLL loaded at 0x73D40000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2019-10-09 20:18:25,867 [root] DEBUG: DLL loaded at 0x73150000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2019-10-09 20:18:25,914 [root] DEBUG: DLL loaded at 0x73D30000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2019-10-09 20:18:26,194 [root] DEBUG: DLL loaded at 0x73010000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2019-10-09 20:18:26,210 [root] DEBUG: DLL loaded at 0x73140000: C:\Windows\system32\Secur32 (0x8000 bytes).
2019-10-09 20:18:26,210 [root] DEBUG: DLL loaded at 0x74E40000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2019-10-09 20:18:26,226 [root] DEBUG: DLL loaded at 0x73120000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2019-10-09 20:18:26,272 [root] DEBUG: DLL loaded at 0x73110000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2019-10-09 20:18:26,303 [root] DEBUG: DLL loaded at 0x72F50000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2019-10-09 20:18:26,303 [root] DEBUG: set_caller_info: Adding region at 0x04600000 to caller regions list (ntdll::LdrLoadDll).
2019-10-09 20:18:26,335 [root] DEBUG: set_caller_info: Adding region at 0x00980000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-09 20:18:26,349 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-09 20:18:26,444 [root] DEBUG: DLL loaded at 0x72F30000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2019-10-09 20:18:26,460 [root] DEBUG: DLL loaded at 0x730B0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-09 20:18:26,474 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-10-09 20:18:26,538 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-09 20:18:27,240 [root] DEBUG: DLL unloaded from 0x75370000.
2019-10-09 20:18:28,112 [root] DEBUG: DLL unloaded from 0x75370000.
2019-10-09 20:18:28,160 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico" does not exist, skip.
2019-10-09 20:18:30,234 [root] DEBUG: DLL unloaded from 0x75530000.
2019-10-09 20:18:30,312 [root] DEBUG: DLL loaded at 0x72970000: C:\Windows\SysWOW64\mshtml (0x5b7000 bytes).
2019-10-09 20:18:30,344 [root] DEBUG: DLL loaded at 0x72940000: C:\Windows\SysWOW64\msls31 (0x2a000 bytes).
2019-10-09 20:18:30,391 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-10-09 20:18:30,437 [root] DEBUG: DLL loaded at 0x72930000: C:\Windows\system32\msimtf (0xb000 bytes).
2019-10-09 20:18:30,453 [root] DEBUG: DLL unloaded from 0x75530000.
2019-10-09 20:18:30,453 [root] DEBUG: DLL loaded at 0x72900000: C:\Windows\SysWOW64\iepeers (0x30000 bytes).
2019-10-09 20:18:30,483 [root] DEBUG: DLL loaded at 0x728A0000: C:\Windows\SysWOW64\WINSPOOL.DRV (0x51000 bytes).
2019-10-09 20:18:30,516 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-10-09 20:18:30,562 [root] DEBUG: DLL loaded at 0x727E0000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-10-09 20:18:30,608 [root] DEBUG: DLL loaded at 0x727D0000: C:\Windows\system32\ImgUtil (0xb000 bytes).
2019-10-09 20:18:30,625 [root] DEBUG: DLL loaded at 0x727C0000: C:\Windows\SysWOW64\pngfilt (0xe000 bytes).
2019-10-09 20:18:30,655 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\system32\msimg32 (0x5000 bytes).
2019-10-09 20:18:35,226 [root] DEBUG: DLL unloaded from 0x75370000.
2019-10-09 20:18:35,367 [root] DEBUG: DLL loaded at 0x72680000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-10-09 20:18:35,678 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-09 20:18:35,678 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-09 20:18:35,678 [root] DEBUG: DLL unloaded from 0x731E0000.
2019-10-09 20:18:35,742 [root] DEBUG: DLL unloaded from 0x000007FEFBC70000.
2019-10-09 20:18:40,608 [root] DEBUG: DLL unloaded from 0x72970000.
2019-10-09 20:18:55,131 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-10-09 20:19:03,322 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF2C10000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 20:19:03,338 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF86E0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-09 20:19:03,338 [root] DEBUG: DLL unloaded from 0x000007FEF59C0000.
2019-10-09 20:19:03,338 [root] DEBUG: DLL unloaded from 0x000007FEFA5F0000.
2019-10-09 20:19:03,338 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA5F0000 to caller regions list (ntdll::NtClose).
2019-10-09 20:19:03,338 [root] DEBUG: DLL unloaded from 0x000007FEFBAB0000.
2019-10-09 20:19:03,338 [root] DEBUG: DLL unloaded from 0x000007FEF9740000.
2019-10-09 20:19:03,354 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9740000 to caller regions list (ntdll::NtFreeVirtualMemory).
2019-10-09 20:19:03,354 [root] DEBUG: DLL unloaded from 0x000007FEF9C60000.
2019-10-09 20:19:03,368 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9C60000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-09 20:19:03,368 [root] DEBUG: DLL unloaded from 0x000007FEF96B0000.
2019-10-09 20:19:03,368 [root] DEBUG: DLL unloaded from 0x000007FEFA1D0000.
2019-10-09 20:19:03,368 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA1D0000 to caller regions list (ntdll::NtClose).
2019-10-09 20:19:03,368 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA100000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-09 20:19:05,709 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2019-10-09 20:19:25,770 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-10-09 20:19:28,220 [root] DEBUG: DLL unloaded from 0x75370000.
2019-10-09 20:20:54,660 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-10-09 20:21:46,092 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-09 20:21:46,092 [root] INFO: Created shutdown mutex.
2019-10-09 20:21:47,107 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1988
2019-10-09 20:21:47,107 [root] INFO: Terminate event set for process 1988.
2019-10-09 20:21:47,107 [root] INFO: Terminating process 1988 before shutdown.
2019-10-09 20:21:47,107 [root] INFO: Waiting for process 1988 to exit.
2019-10-09 20:21:47,107 [root] DEBUG: Terminate Event: Attempting to dump process 1988
2019-10-09 20:21:47,107 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x01330000.
2019-10-09 20:21:47,107 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 20:21:47,107 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01330000.
2019-10-09 20:21:47,107 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001C9A.
2019-10-09 20:21:47,154 [root] INFO: Added new CAPE file to list with path: C:\QNgLemTzGV\CAPE\1988_157893145247211993102019
2019-10-09 20:21:47,154 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa1e00.
2019-10-09 20:21:47,154 [root] DEBUG: Terminate Event: Skipping dump of process 1988
2019-10-09 20:21:47,154 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DF2AA392AA9EF903D9.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DF2AA392AA9EF903D9.TMP'
2019-10-09 20:21:47,154 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~DFFEB15109DAA17597.TMP": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~DFFEB15109DAA17597.TMP'
2019-10-09 20:21:47,184 [root] DEBUG: Terminate Event: Shutdown complete for process 1988 but failed to inform analyzer.
2019-10-09 20:21:48,121 [root] INFO: Terminating process 1408 before shutdown.
2019-10-09 20:21:48,121 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1708
2019-10-09 20:21:48,121 [root] INFO: Terminate event set for process 1708.
2019-10-09 20:21:48,121 [root] INFO: Terminating process 1708 before shutdown.
2019-10-09 20:21:48,121 [root] DEBUG: Terminate Event: Attempting to dump process 1708
2019-10-09 20:21:48,121 [root] INFO: Waiting for process 1708 to exit.
2019-10-09 20:21:48,121 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA80000.
2019-10-09 20:21:48,121 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 20:21:48,121 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA80000.
2019-10-09 20:21:48,137 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-09 20:21:48,230 [root] INFO: Added new CAPE file to list with path: C:\QNgLemTzGV\CAPE\1708_46225312048211993102019
2019-10-09 20:21:48,246 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2bac00.
2019-10-09 20:21:48,246 [root] DEBUG: Terminate Event: Skipping dump of process 1708
2019-10-09 20:21:48,246 [root] DEBUG: Terminate Event: Shutdown complete for process 1708 but failed to inform analyzer.
2019-10-09 20:21:49,128 [root] INFO: Shutting down package.
2019-10-09 20:21:49,128 [root] INFO: Stopping auxiliary modules.
2019-10-09 20:21:49,128 [root] INFO: Finishing auxiliary modules.
2019-10-09 20:21:49,128 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 20:21:49,128 [root] WARNING: File at path "C:\QNgLemTzGV\debugger" does not exist, skip.
2019-10-09 20:21:49,128 [root] WARNING: Monitor injection attempted but failed for process 1.
2019-10-09 20:21:49,128 [root] INFO: Analysis completed.

MalScore

9.6

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-10-09 19:18:21 2019-10-09 19:22:03

URL Details

URL
www.suste0n.com/energy/transition/ovmaxz/kinolt

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (2 unique times)
IP: 204.79.197.200:80 (United States)
IP: 192.210.142.147:80 (United States)
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: propsys.dll/PSGetPropertyKeyFromName
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: IEUI.dll/FindStdColor
DynamicLoader: IEUI.dll/InvalidateGadget
DynamicLoader: IEUI.dll/SetGadgetParent
DynamicLoader: IEUI.dll/GetGadgetTicket
DynamicLoader: IEUI.dll/SetGadgetRect
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: IEUI.dll/PeekMessageExW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: msfeeds.dll/MsfeedsCreateInstance
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerW
DynamicLoader: WININET.dll/FindNextUrlCacheContainerW
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSIMG32.dll/GradientFill
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: IEUI.dll/WaitMessageEx
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToProxyStubCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToTLBPath
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/PSGetPropertyDescription
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: propsys.dll/PropVariantToString
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: USP10.dll/ScriptIsComplex
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSIMG32.dll/AlphaBlend
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: RPCRT4.dll/UuidCreateSequential
DynamicLoader: ole32.dll/StgOpenStorageEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/CharLowerW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CryptUnprotectData
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: IEUI.dll/FindGadgetFromPoint
DynamicLoader: IEUI.dll/DUserSendEvent
DynamicLoader: IEUI.dll/GetGadgetRect
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_SetRedirectRegistryForThread
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoW
DynamicLoader: urlmon.dll/CreateURLMonikerEx
DynamicLoader: urlmon.dll/CreateAsyncBindCtxEx
DynamicLoader: urlmon.dll/RegisterBindStatusCallback
DynamicLoader: urlmon.dll/UrlMkGetSessionOption
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: NLAapi.dll/NSPStartup
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: MLANG.dll/
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: urlmon.dll/RevokeBindStatusCallback
DynamicLoader: urlmon.dll/CreateFormatEnumerator
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: urlmon.dll/CreateIUriBuilder
DynamicLoader: urlmon.dll/IntlPercentEncodeNormalize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
DynamicLoader: UxTheme.dll/BeginBufferedAnimation
DynamicLoader: UxTheme.dll/DrawThemeParentBackground
DynamicLoader: UxTheme.dll/EndBufferedAnimation
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: urlmon.dll/CoInternetQueryInfo
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: urlmon.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IEFRAME.dll/
DynamicLoader: urlmon.dll/RegisterFormatEnumerator
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WININET.dll/CreateUrlCacheEntryA
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: WININET.dll/CreateUrlCacheContainerW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: IEFRAME.dll/
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabled
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ImgUtil.dll/DecodeImage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: msimg32.dll/AlphaBlend
DynamicLoader: DWMAPI.DLL/DwmInvalidateIconicBitmaps
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: comctl32.dll/
Performs HTTP requests potentially not found in PCAP.
url: www.suste0n.com:80//energy/transition/ovmaxz/kinolt
Sniffs keystrokes
SetWindowsHookExW: Process: explorer.exe(1708)
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
regkeyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
Stack pivoting was detected when using a critical API
process: iexplore.exe:1988

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States
N 192.210.142.147 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
www.suste0n.com [VT] A 192.210.142.147 [VT]
CNAME suste0n.com [VT]

Summary

Process Tree


iexplore.exe, PID: 1988, Parent PID: 2584
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "www.suste0n.com/energy/transition/ovmaxz/kinolt"
iexplore.exe, PID: 1408, Parent PID: 1988
Full Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1988 CREDAT:79873
explorer.exe, PID: 1708, Parent PID: 1660
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 204.79.197.200 [VT] United States
N 192.210.142.147 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.22 49169 192.210.142.147 www.suste0n.com 80
192.168.35.22 49165 204.79.197.200 www.bing.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.22 58774 8.8.8.8 53
192.168.35.22 61809 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
www.suste0n.com [VT] A 192.210.142.147 [VT]
CNAME suste0n.com [VT]

HTTP Requests

URI Data
http://www.bing.com/favicon.ico
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.bing.com
Connection: Keep-Alive

http://www.suste0n.com/energy/transition/ovmaxz/kinolt
GET /energy/transition/ovmaxz/kinolt HTTP/1.1
Accept: */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.suste0n.com
Connection: Keep-Alive

http://www.suste0n.com/energy/transition/ovmaxz/kinolt/
GET /energy/transition/ovmaxz/kinolt/ HTTP/1.1
Accept: */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.suste0n.com
Connection: Keep-Alive

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
File Size 237 bytes
File Type PNG image data, 16 x 16, 4-bit colormap, non-interlaced
MD5 9fb559a691078558e77d6848202f6541
SHA1 ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
SHA256 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
CRC32 FC87942A
Ssdeep 6:6v/lhPIF6R/C+u1fXNg1XQ3yslRtNO+cKvAElRApGCp:6v/7b/C1fm1ZslRTvAElR47
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 077eb5d924c84ec41447ad7795b38734
SHA1 e3b4793862bb370db5ddd3cb5e607034172336e1
SHA256 06813b4ee292b191c05cb15febfba874e7f4caac47a8c3081041a20880708209
CRC32 E2F624C0
Ssdeep 48:q3xbTpYVfruSYufruXYsfAjYmeKZ6MYCI:qZTuVfrutufruIsfAc26Lv
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name http_404[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\http_404[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\ErrorPageTemplate[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\errorPageStrings[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\httpErrorPagesScripts[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\info_48[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\background_gradient[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\bullet[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\down[1]
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name http_404[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\http_404[1]
File Size 6489 bytes
File Type HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5 4cd84a1b063bf6dea53e06755ef9e24d
SHA1 9078ca0033b7be694b6af747cccc6b703cc84c29
SHA256 988cc4b451673f847d823c9d9ba14ad50d3ca1141bc1e17c6415b8f64b6e1c22
CRC32 761694B1
Ssdeep 48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwySpdW:uKp6yN9JaKktZX36a7x05hwW71M
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xef\xbb\xbf<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html dir="ltr">

    <head>
        <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

        <title>HTTP 404 Not Found</title>

        <script src="errorPageStrings.js" language="javascript" type="text/javascript">
        </script>
        <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">
        </script>
    </head>

    <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">

        <table width="730" cellpadding="0" cellspacing="0" border="0">

        <!-- Error title -->
            <tr>
                <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">
                    <img src="info_48.png" id="infoIcon" alt="Info icon">
                </td>
                <td id="mainTitleAlign" valign="middle" align="left" width="*">
                    <h1 id="mainTitle">The webpage cannot be found</h1>
                </td>
            </tr>



            <tr>
                <!-- This row is for HTTP status code, as well as the divider-->
                <td id="http404Align" class="errorCodeAndDivider" align="right"><ID id="http404">&nbsp;HTTP 404</ID>
                    <div class="divider"></div>
                </td>
            </tr>


        <!-- Error Body -->
            <tr>
                <td>
                    &nbsp;
                </td>
                <td id="likelyCausesAlign" valign="top" align="left">
                    <h3 id="likelyCauses">Most likely causes:</h3>
                    <ul>
                        <li id="causeErrorInAddress">There might be a typing error in the address.</li>
                        <li id="causeLinkOutOfDate">If you clicked on a link, it may be out of date.</li>
                    </ul>
                </td>
            </tr>

        <!-- What you can do -->
            <tr>
                <td>
                    &nbsp;
                </td>
                <td id="whatToTryAlign" valign="top" align="left">
                    <h2 id="whatToTry">What you can try:</h2>
                </td>
            </tr>

        <!-- retype address -->
            <tr>
                <td >
                    &nbsp;
                </td>
                <td id="retypeAddressAlign" align="left" valign="middle">
                    <h4>
                        <table>
                          <tr>
                              <td valign="top">
                                  <img src="bullet.png" border="0" alt="" class="actionIcon">
                              </td>
                              <td valign="top">
                                  <ID id="retypeAddress">Retype the address.</ID>
                              </td>
                          </tr>
                        </table>
                    </h4>
                </td>
            </tr>

        <!-- back to previous page -->
            <tr>
                <td >
                    &nbsp;
                </td>
                <td id="goBackAlign" align="left" valign="middle">
                    <h4>
                        <table>
                          <tr>
                              <td valign="top">
                                  <img src="bullet.png" border="0" alt="" class="actionIcon">
                              </td>
                              <td valign="top">
                                  <span id="goBackContainer"></span><noscript id="goBack">Go back to the previous page.</noscript>
                              </td>
                          </tr>
                        </table>
                    </h4>
                </td>
            </tr>


        <!-- top level domain-->
            <tr>
                <td >
                    &nbsp;
                </td>
                <td id="mainSiteAlign" align="left" valign="middle">
                    <h4>
                        <table>
                          <tr>
                              <td valign="top">
                                  <img src="bullet.png" border="0" alt="" class="actionIcon">
                              </td>
                              <td valign="top">
                                  <ID id="mainSite1">Go to </ID><span id="homepageContainer"><noscript id="mainSite2">the main site</noscript></span><ID id="mainSite3">&nbsp;and look for the information you want.</ID>
                              </td>
                          </tr>
                        </table>
                    </h4>
                </td>
            </tr>

        <!-- InfoBlock -->
            <tr>
                <td id="infoBlockAlign" align="right" valign="top">
                    &nbsp;
                </td>
                <td id="moreInfoAlign" align="left" valign="middle">
                    <h4>
                      <table>
                        <tr>
                            <td valign="top">
                                <a href="#" onclick="javascript:expandCollapse('infoBlockID', true); return false;"><img src="down.png" id="infoBlockIDImage" border="0" class="actionIcon" alt="More information"></a>
                            </td>
                            <td valign="top">
                               <span id="moreInfoContainer"></span>
                               <noscript><ID id="moreInformation">More information</ID></noscript>
                            </td>
                        </tr>
                      </table>
                    </h4>

                    <div id="infoBlockID" class="infoBlock">
                        <p id="errorExplanation">This error (HTTP 404 Not Found) means that Internet Explorer was able to connect to the website, but the page you wanted was not found. It's possible that the webpage is temporarily unavailable. Alternatively, the website might have changed or removed the webpage.</p>
                        <p id="moreInfoSeeHelp">For more information about HTTP errors, see Help.</p>
                    </div>

                </td>
            </tr>


        </table>

    </body>
</html>
File name ErrorPageTemplate[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\ErrorPageTemplate[1]
File Size 2168 bytes
File Type assembler source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
CRC32 E6FF242A
Ssdeep 24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xef\xbb\xbfbody
{
	font-family: "Segoe UI", "verdana", "arial";
	background-image: url(background_gradient.jpg);
	background-repeat: repeat-x;
	background-color: #E8EAEF;
	margin-top: 20px;
	margin-left: 20px;
	color: #575757;
}

body.securityError
{
	font-family: "Segoe UI", "verdana" , "Arial";
	background-image: url(background_gradient_red.jpg);
	background-repeat: repeat-x;
	background-color: #E8EAEF;
	margin-top: 20px;
	margin-left: 20px;
}

body.tabInfo
{
	background-image: none;
	background-color: #F4F4F4;
}
       
a
{
	color: rgb(19,112,171);	font-size: 1em;
	font-weight: normal;
	text-decoration: none;
	margin-left: 0px;
	vertical-align: top;
}

a:link, a:visited
{
	color: rgb(19,112,171);
	text-decoration: none;
	vertical-align: top;
}

a:hover
{
	color: rgb(7,74,229);
	text-decoration: underline;
}

p
{
	font-size: 0.9em;
}
	
h1 /* used for Title */
{
	color: #4465A2;
	font-size: 1.1em;
	font-weight: normal;
	vertical-align:bottom;
	margin-top: 7px;
	margin-bottom: 4px;
}

h2 /* used for Heading in Main Body */
{
	font-size: 0.9em;
	font-weight: normal;
	margin-top: 20px;	
	margin-bottom: 1px;
}

h3 /* used for text in main body */
{
	font-size: 0.9em;
	font-weight: normal;
	margin-top: 10px;	
	margin-bottom: 1px;
}

h4 /* used for task links*/
{
	font-size: 0.9em;
	font-weight: normal;
	margin-top: 12px;
	margin-bottom: 1px;
}

h5 /* used for Heading in InfoBlock */
{
	font-size: 1em;
	font-weight: normal;
	margin-bottom: 0px;
	margin-top: 1px;	
	font-size: 0.9em;
	color: #575757;
}


.actionIcon /* used for task link icons */
{
	vertical-align: middle;
	margin-top: 0px;
	margin-right: 6px;
}

.infoBlock
{
	padding-left: 25px;
	font-size: 0.9em;
	display: block;
	line-height: 1.1 em;
	color: #575757;
}

.errorCodeAndDivider
{
	font-size: 0.7em;
	font-weight: normal;
	color: #787878;
}

ul, ol
{
	font-size: 0.9em;
	list-style-position: outside;
	margin-top: 1px;
	margin-bottom: 1px;
	padding-top: 1px;
	padding-bottom: 1px;
	line-height: 1.3em;
}

.divider
{
	border-bottom: #B6BCC6 1px solid;
}
File name errorPageStrings[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\errorPageStrings[1]
File Size 1817 bytes
File Type UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 1a0563f7fb85a678771450b131ed66fd
SHA1 a6d24e8a1ffd7e6fc0d1ecd00e67eb72425019a7
SHA256 eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
CRC32 1B8FC3FF
Ssdeep 48:z9UUiqu6xl8W22751dwvRHERyRyntQRXP6KtU5SwVNg7FU50U5ZF0:z9UUiqRxqH211CvRHERyRyntQRXP6C80
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xef\xbb\xbf//Split out for localization.
var L_GOBACK_TEXT = "Go back to the previous page.";
var L_REFRESH_TEXT = "Refresh the page.";
var L_MOREINFO_TEXT = "More information";
var L_OFFLINE_USERS_TEXT = "For offline users";
var L_RELOAD_TEXT = "Retype the address.";
var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";
var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";
var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";
var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";

//used by invalidcert.js
var L_CertUnknownCA_TEXT = "The security certificate presented by this website was not issued by a trusted certificate authority.";
var L_CertExpired_TEXT = "The security certificate presented by this website has expired or is not yet valid.";
var L_CertCNMismatch_TEXT = "The security certificate presented by this website was issued for a different website's address.";
var L_CertRevoked_TEXT = "This organization's certificate has been revoked.";

var L_PhishingThreat_TEXT = "Phishing threat: This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information.";
var L_MalwareThreat_TEXT = "Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons.";

var L_ACR_Title_TEXT = "We were unable to return you to %s.";
var L_ACR_TitleFallback_TEXT = "We were unable to return you to the page you were viewing.";
var L_ACR_ReturnTo_TEXT = "Try to return to %s";
var L_ACR_ReturnToFallback_TEXT = "Try to return to the page you were viewing";
var L_ACR_GoHome_TEXT = "Go to your home page";
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
File Size 49152 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 12a8e8162a78ad18d2ece5952093b93a
SHA1 2936b123989af6f327fb65acd555cf846c091972
SHA256 bef37bcdf412b9ff98a3478d49efaab3c14ea4b778c4b34ae8be50b80ec325c6
CRC32 7B5863A9
Ssdeep 12:qjZrmsgi6H6W4kCQJz8uvu9l79OJlLuAUGkLL6OSA6:qjZSzHaW4rcEyXuHjLL6OR6
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name httpErrorPagesScripts[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\httpErrorPagesScripts[1]
File Size 8601 bytes
File Type UTF-8 Unicode (with BOM) text, with CRLF, CR line terminators
MD5 e7ca76a3c9ee0564471671d500e3f0f3
SHA1 fe815ae0f865ec4c26e421bf0bd21bb09bc6f410
SHA256 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
CRC32 A7C34EF3
Ssdeep 192:HMmjTiiKfi9Ii4UFjC9jo4oXdu7mjxAb3Y:smjTiiKfi9IiPj+k3Xdu7mjxAb3Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xef\xbb\xbf//Need to include errorPageStrings.js when you include this file

function isExternalUrlSafeForNavigation(urlStr)
{
    var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");
    return regEx.exec(urlStr);
}

function clickRefresh()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        window.location.replace(location.substring(poundIndex+1));
    }
}

function navCancelInit()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        var bElement = document.createElement("A");
        bElement.innerText = L_REFRESH_TEXT;
        bElement.href = 'javascript:clickRefresh()';
        navCancelContainer.appendChild(bElement);
    }
    else
    {
        var textNode = document.createTextNode(L_RELOAD_TEXT);
        navCancelContainer.appendChild(textNode);
    }
}

function expandCollapse(elem, changeImage)
{
    if (document.getElementById)
    {
        ecBlock = document.getElementById(elem);

        if (ecBlock != undefined && ecBlock != null)
        {
            if (changeImage)
            {
                //gets the image associated
                elemImage = document.getElementById(elem + "Image");
            }

            //make sure elemImage is good
            if (!changeImage || (elemImage != undefined && elemImage != null))
            {
                if (ecBlock.currentStyle.display == "none" || ecBlock.currentStyle.display == null || ecBlock.currentStyle.display == "")
                {
                    //shows the info.
                    ecBlock.style.display = "block";
                    if (changeImage)
                    {
                        //Just got in expanded mode. Thus, change image to "collapse"
                        elemImage.src = "up.png";
                    }
                }
                else if (ecBlock.currentStyle.display == "block")
                {
                    //hide info
                    ecBlock.style.display = "none";
                    if (changeImage)
                    {
                        //Just got in collapsed mode. Thus, change image to "expand"
                        elemImage.src = "down.png";
                    }
                }
                else
                {
                    //catch any weird circumstances.
                    ecBlock.style.display = "block";
                    if (changeImage)
                    {
                        elemImage.src = "up.png";
                    }
                }
            }//end check elemImage
        }//end check ecBlock
    }//end getElemById
}//end expandCollapse


function initHomepage()
{
    // in real bits, urls get returned to our script like this:
    // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

    //For testing use
    //DocURL = "res://shdocvw.dll/http_404.htm#http://www.microsoft.com/bar.htm"
    DocURL=document.location.href;

    var poundIndex = DocURL.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
   
       //this is where the http or https will be, as found by searching for :// but skipping the res://
       protocolIndex=DocURL.indexOf("://", 4);
   
       //this finds the ending slash for the domain server
       serverIndex=DocURL.indexOf("/", protocolIndex + 3);
   
       //for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
       //of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.
       //urlresult=DocURL.substring(protocolIndex - 4,serverIndex);
       BeginURL=DocURL.indexOf("#",1) + 1;
       urlresult=DocURL.substring(BeginURL, serverIndex);
       if (protocolIndex - BeginURL > 7)
           urlresult="";

        //for display, we need to skip after http://, and go to the next slash
       displayresult=DocURL.substring(protocolIndex + 3, serverIndex);
    } 
    else
    {
       displayresult = "";
       urlresult = "";
    }

    var aElement = document.createElement("A");

    aElement.innerText = displayresult;
    aElement.href = urlresult;

    homepageContainer.appendChild(aElement);
}


function initConnectionStatus()
{

    if (navigator.onLine) //the network connection is connected
    {
        checkConnection.innerText = L_CONNECTION_ON_TEXT;
    }
    else
    {
        checkConnection.innerText = L_CONNECTION_OFF_TEXT;
    }
}

function initGoBack()
{
    //fills in the span container for "back to previous page"
    //Basically, makes "back to previous page" a clickable item IF there's something in the navstack.

    if (history.length < 1)
    {
        //this page is the only thing. Nothing in history.
        var textNode = document.createTextNode(L_GOBACK_TEXT);
        goBackContainer.appendChild(textNode);
    }
    else
    {
        var bElement = document.createElement("A");
        bElement.innerText = L_GOBACK_TEXT ;
        bElement.href = "javascript:history.back();";
        goBackContainer.appendChild(bElement);
    }
}

function initMoreInfo(infoBlockID)
{
    var bElement = document.createElement("A");
    bElement.innerText = L_MOREINFO_TEXT;
    bElement.href = "javascript:expandCollapse(\'infoBlockID\', true);";
    moreInfoContainer.appendChild(bElement);				
}

function initOfflineUser(offlineUserID)
{
    var bElement = document.createElement("A");
    bElement.innerText = L_OFFLINE_USERS_TEXT;
    bElement.href = "javascript:expandCollapse('offlineUserID', true);";
    offlineUserContainer.appendChild(bElement);
}

function initUnframeContent()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        document.all.whatToDoIntro.style.display="block";
        document.all.whatToDoBody.style.display="block";
    }
}

function makeNewWindow()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        window.open(location.substring(poundIndex+1));
    }
}

function setTabInfo(tabInfoBlockID)
{
    //removes the previous tabInfo text
    var bPrevElement = document.getElementById("tabInfoTextID");
    var bPrevImage   = document.getElementById("tabInfoBlockIDImage");

    if (bPrevElement != null)
    {
        tabInfoContainer.removeChild(bPrevElement);
    }

    if (bPrevImage != null)
    {
        tabImageContainer.removeChild(bPrevImage);
    }

    var bElement = document.createElement("A");
    var bImageElement = document.createElement("IMG");

    var ecBlock = document.getElementById(tabInfoBlockID);

    //determines if the block is closed
    if ((ecBlock != undefined && ecBlock != null) &&
        (ecBlock.currentStyle.display == "none" || ecBlock.currentStyle.display == null || ecBlock.currentStyle.display == ""))
    {
        bElement.innerText = L_SHOW_HOTKEYS_TEXT;
        bImageElement.alt = L_SHOW_HOTKEYS_TEXT;
        bImageElement.src="down.png";
    }
    else
    {
        bElement.innerText = L_HIDE_HOTKEYS_TEXT;
        bImageElement.alt = L_HIDE_HOTKEYS_TEXT;
        bImageElement.src="up.png";
    }

    bElement.id = "tabInfoTextID";
    bElement.href = "javascript:expandCollapse(\'tabInfoBlockID\', false); setTabInfo('tabInfoBlockID');";


    bImageElement.id="tabInfoBlockIDImage";
    bImageElement.border="0";
    bImag <truncated>
File name info_48[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\info_48[1]
File Size 6993 bytes
File Type PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
MD5 49e0ef03e74704089a60c437085db89e
SHA1 c2e7ab3ce114465ea7060f2ef738afcb3341a384
SHA256 caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
CRC32 4C99540A
Ssdeep 192:NS0tKg9E05THXQJBCnFux5TsRfb+Y0ObhD9Uc7:LXE05UBCFAORfK9S7b7
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name background_gradient[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\background_gradient[1]
File Size 453 bytes
File Type JPEG image data, JFIF standard 1.02
MD5 20f0110ed5e4e0d5384a496e4880139b
SHA1 51f5fc61d8bf19100df0f8aadaa57fcd9c086255
SHA256 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
CRC32 C2D0CE77
Ssdeep 6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name bullet[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\bullet[1]
File Size 3169 bytes
File Type PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced
MD5 0c4c086dd852704e8eeb8ff83e3b73d1
SHA1 56bac3d2c88a83628134b36322e37deb6b00b1a1
SHA256 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
CRC32 51CC83D9
Ssdeep 48:VocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcOD2X+r0svw:VZ/I09Da01l+gmkyTt6Hk8nT2X+r0kw
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name down[1]
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\down[1]
File Size 3414 bytes
File Type PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced
MD5 555e83ce7f5d280d7454af334571fb25
SHA1 47f78f68d72e3d9041acc9107a6b0d665f408385
SHA256 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
CRC32 9EA3279D
Ssdeep 96:/SDZ/I09Da01l+gmkyTt6Hk8nTjTnJw1Ne:/SDS0tKg9E05TPoNe
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSIMGSIZ.DAT
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
File Size 16384 bytes
File Type data
MD5 0cf9ea053bdfba12814049c64f7ab45a
SHA1 2c3dae6af5ed25316078f3d44519d387a5f0bb00
SHA256 bd6776afccf940809189767c68089f4dfbd18327c443de60443d42969338b8bb
CRC32 CB138BF2
Ssdeep 12:Oa6I/10s1KXPeNU/N6/aXAk6ylXPtDYNls6ss+wsLaSP/0otIltet+4bRsWdf8qY:xJHu9QqlC3LwAOMSoye7z2lzdG
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Web Slice Gallery~.feed-ms
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
File Size 28672 bytes
File Type Composite Document File V2 Document, No summary info
MD5 d4cc7ce677b6ab7b521a1659aed301c8
SHA1 e1f036a56474983c11b5369dc6d46f158b0d4e0e
SHA256 3e23031a2b91f47683115473ce73964a196b68405153b815af14f7bde5032586
CRC32 E843F4D5
Ssdeep 12:Jw77mFQCb777777777777777777777777777777/FJl8vbf+8Gc7777777777777:Jsbf+8/2As4WYiit
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name {8FF76544-EAC9-11E9-A15D-000C29BA3DA7}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8FF76544-EAC9-11E9-A15D-000C29BA3DA7}.dat
File Size 4608 bytes
File Type Composite Document File V2 Document, No summary info
MD5 01bdccbb2e44745f9cf4099478344b88
SHA1 dca11a81d5159df903b21e40a53d8215447dada9
SHA256 5c5c1a44888b382b80fe0c386d41ecc374b6c7e981c1bd06de8dc89577a6d2b6
CRC32 61E8B1FE
Ssdeep 12:rlfFgojrEgmfR16FjrEgmfcB1qjNlYfO1t3+/NlL91tGcUwhSp:rcojGGGTNlj1twNlp1tG/W
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name RecoveryStore.{8FF76543-EAC9-11E9-A15D-000C29BA3DA7}.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FF76543-EAC9-11E9-A15D-000C29BA3DA7}.dat
File Size 3584 bytes
File Type Composite Document File V2 Document, No summary info
MD5 6718a3b03cdf08a1a94a958e85d40728
SHA1 df8a93602ac438d30e322861a31a39d653c41f4b
SHA256 9cc64f8c151eff7dbec64f6f865d57ad780fd97f5ef6834dbbe7fe6bd36387f9
CRC32 208FCFB4
Ssdeep 12:rl0YmGF2hrEg5+IaCrI017+F+ADrEgmf+IaCy8qgQNlTq1ty5l097u7:rIh5/5UGv/TQNlW1ty5lW7u7
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 ec6bffa7b10090427df08616ddedc0b1
SHA1 60a778b7c199d3944d55d41da1a052b5c3d7d073
SHA256 27e9813cff5441f48f28794440c460e413cad4cc56a360a6cb27b12cf52fce55
CRC32 E8C28DA4
Ssdeep 12:qj8W3WMyIvbE2uOIJvmk3WMyIvbH2uOIJvm:qjYVIvYcIgtVIvDcIg
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 e02b5c7b25280da487209bd48b4163f9
SHA1 7d440a9292567af8570c34e52d03aed14405ae00
SHA256 42bc5d24dab11bbeb8fd93b797b3c5b7e70fee667293a32691767580f1a01a73
CRC32 9703369D
Ssdeep 48:qsLf/ZJLH3ZxqT/mf7RCpwV+4igHDt/UwbmXhBgkBVGWYCIh:qsb/Zp/q0lV9Nbojbm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File Size 65536 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 8f367f3f07d9582378c03b0bf5201030
SHA1 b091a92f8de1ed744559a741fdee8adc47855c3e
SHA256 350c6e3c6ccd7e66df09a923e935626e3811acb41ce05dfca7f6f292ff0b9ef8
CRC32 90664BDC
Ssdeep 384:K+tjxBNPtNaOndg3skdVQnQeW+4fTFtziXrAsjCCtn/NJ03:NfNazd9ur/CSl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name iexplore.exe
PID 1988
Dump Size 663040 bytes
Module Path C:\Program Files (x86)\Internet Explorer\iexplore.exe
Type PE image: 32-bit executable
MD5 0869b7c777f91b63bab710d89f17e5b9
SHA1 6eea293b68ad90756c88bc852a48eb3b3951fe83
SHA256 81baa3806a0f950b0f09ab60f621a6e6bc7d4093a3a2b96ebf2eefcd48f1fab6
CRC32 4342F19E
Ssdeep 12288:SPX+pd167QhE0s7+jM+M6ugRfMMkIM7ovX+pd167QhE0u7+:uE6Ehg7mM+M6RkMkIM7gE6Eh67
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 81baa3806a0f950b0f09ab60f621a6e6bc7d4093a3a2b96ebf2eefcd48f1fab6
Download
Process Name explorer.exe
PID 1708
Dump Size 2862080 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 9fc0dc57181cfb427037fe0e9ed89c71
SHA1 593d88a3cbedcf510a8f4cbb78c91ff63f8f3841
SHA256 e3d7d9be101057a2aab52b2226c7938ae2154127d44226964d4cb7cb6c0c645b
CRC32 8ACA0065
Ssdeep 49152:4xrceI/lIRYraisQhFCU4NDvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojosod:ircPlIWyJvYYYYYYYYYYYRYYYYYYYYYh
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename e3d7d9be101057a2aab52b2226c7938ae2154127d44226964d4cb7cb6c0c645b
Download

Comments



No comments posted

Processing ( 14.633 seconds )

  • 10.006 Static
  • 2.177 ProcDump
  • 1.814 BehaviorAnalysis
  • 0.402 Dropped
  • 0.214 Deduplicate
  • 0.014 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.415 seconds )

  • 0.641 antidbg_windows
  • 0.105 antiav_detectreg
  • 0.082 stealth_timeout
  • 0.06 NewtWire Behavior
  • 0.059 api_spamming
  • 0.038 infostealer_ftp
  • 0.035 antivm_vbox_window
  • 0.028 antisandbox_script_timer
  • 0.025 antivm_generic_scsi
  • 0.022 antianalysis_detectreg
  • 0.021 infostealer_im
  • 0.015 mimics_filetime
  • 0.014 infostealer_mail
  • 0.013 antivm_generic_services
  • 0.012 Doppelganging
  • 0.012 antivm_generic_disk
  • 0.01 recon_programs
  • 0.01 antivm_vbox_keys
  • 0.01 ransomware_files
  • 0.009 bootkit
  • 0.009 virus
  • 0.008 antiav_detectfile
  • 0.007 antivm_vmware_keys
  • 0.006 geodo_banking_trojan
  • 0.006 infostealer_bitcoin
  • 0.005 uac_bypass_eventvwr
  • 0.005 injection_createremotethread
  • 0.005 betabot_behavior
  • 0.005 InjectionCreateRemoteThread
  • 0.005 kibex_behavior
  • 0.005 hancitor_behavior
  • 0.005 antivm_parallels_keys
  • 0.005 antivm_xen_keys
  • 0.005 darkcomet_regkeys
  • 0.005 recon_fingerprint
  • 0.004 malicious_dynamic_function_loading
  • 0.004 antiemu_wine_func
  • 0.004 InjectionProcessHollowing
  • 0.004 infostealer_browser_password
  • 0.004 dynamic_function_loading
  • 0.004 persistence_autorun
  • 0.004 injection_runpe
  • 0.004 ransomware_extensions
  • 0.003 InjectionInterProcess
  • 0.003 stack_pivot
  • 0.003 vawtrak_behavior
  • 0.003 kovter_behavior
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_vbox_files
  • 0.003 antivm_vpc_keys
  • 0.002 antivm_vbox_libs
  • 0.002 antidebug_guardpages
  • 0.002 exploit_heapspray
  • 0.002 exploit_getbasekerneladdress
  • 0.002 exploit_gethaldispatchtable
  • 0.002 InjectionSetWindowLong
  • 0.002 antianalysis_detectfile
  • 0.002 browser_security
  • 0.002 disables_browser_warn
  • 0.001 stack_pivot_file_created
  • 0.001 tinba_behavior
  • 0.001 andromeda_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 sets_autoconfig_url
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 rat_luminosity
  • 0.001 infostealer_browser
  • 0.001 network_anomaly
  • 0.001 dridex_behavior
  • 0.001 injection_explorer
  • 0.001 modifies_desktop_wallpaper
  • 0.001 Vidar Behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 ipc_namedpipe
  • 0.001 EvilGrab
  • 0.001 exec_crash
  • 0.001 Raccoon Behavior
  • 0.001 neshta_files
  • 0.001 cerber_behavior
  • 0.001 antiav_bitdefender_libs
  • 0.001 antidbg_devices
  • 0.001 antivm_xen_keys
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vmware_files
  • 0.001 bypass_firewall
  • 0.001 ie_martian_children
  • 0.001 network_torgateway
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient
  • 0.001 remcos_regkeys

Reporting ( 0.017 seconds )

  • 0.017 CompressResults
Task ID 94339
Mongo ID 5d9e3375f69fab997c678e1b
Cuckoo release 1.3-CAPE
Delete