Page 1
Summary
File Name: None File Type: HTML document, ASCII text, with very long lines
SHA1: e8f8b51272397f871c898e27bfbb9f116859e587 MALWARE
MD5: d8e675bb7b20604752d98161331c2d59 Valkyrie Final Verdict
DETECTION SECTION CLASSIFICATION
Backdoor(0.00%) Ransomware(0.00%) Bot(0.00%)
5% Worm(0.00%) Exploit(0.00%) 4%
3%
Trojan 2% Pua(0.00%) Password Stealer(0.00%) 1%
Rootkit(0.00%) Trojan Severity: High Generic(0.00%) Verdict: Malware Spyware(0.00%) Trojan Downloader(0.00%)
Remote Trojan Access Dropper(0.00%) Trojan(0.00%V)irus(0.00%) Rogue(0.00%)
HIGH LEVEL BEHAVIOR DISTRIBUTION
Hooking (2) Network (1385) Process (313) __notification__ (5) Misc (171) 8.9% System (3721) Crypto (65) 43.2% Threading (51) 10.0% Synchronization (186) Device (585) Windows (73) File System (1235) 26.9% Services (6) Browser (4) Com (58) Registry (5973)
ACTIVITY OVERVIEW
Networking 3 (100.00%) Page 2
Activity Details
NETWORKING
Attempts to connect to a dead IP:Port (11 unique times) Show sources
Performs some HTTP requests Show sources
Generates some ICMP traffic Page 3
Behavior Graph
12:31:50 12:33:05 12:34:20
PID 2140 12:31:50 Create Process The malicious file created a child process as iexplore.exe (PPID 1520)
PID 2432 12:31:50 Create Process The malicious file created a child process as iexplore.exe (PPID 2140)
12:31:54 connect 12:31:54 [ 3 times ]
12:32:00 ConnectEx 12:32:16 [ 7 times ]
12:32:16 connect
12:32:16 ConnectEx 12:32:16 [ 2 times ]
12:32:16 connect 12:32:16 [ 5 times ]
12:32:21 ConnectEx 12:32:21 [ 2 times ]
12:32:37 connect 12:32:38 [ 4 times ]
12:33:01 ConnectEx
12:34:20 connect 12:34:20 [ 3 times ] Page 4
Behavior Summary
ACCESSED FILES
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files (x86)\Internet Explorer\IEShims.dll
C:\Windows\SysWOW64\shell32.dll
\Device\KsecDD
C:\Program Files (x86)\Internet Explorer\sqmapi.dll
C:\Users\user\Favorites
C:\
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000004b.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\Favorites\desktop.ini
C:\Users\user\Desktop\desktop.ini
\??\MountPointManager
C:\Program Files (x86)\Internet Explorer\ieproxy.dll
C:\Windows\Fonts\staticcache.dat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Windows\AppPatch\sysmain.sdb
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\
C:\Program Files (x86)\Common Files\Adobe
C:\Program Files (x86)\Common Files\Adobe\Acrobat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\*.*
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files (x86)\Internet Explorer\iexplore.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll Page 5
C:\Program Files (x86)\Java\jre1.8.0_91\bin\
C:\Program Files (x86)\Java
C:\Program Files (x86)\Java\jre1.8.0_91\bin
C:\Program Files (x86)\Java\jre1.8.0_91\bin\*.*
C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\msvcr100.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\deploy.dll
C:\Program Files (x86)\Java\jre1.8.0_91\lib\plugin.jar
C:\Program Files (x86)\Java\jre1.8.0_91\bin\javaws.exe
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
C:\Program Files (x86)\Java\jre1.8.0_91
C:\Program Files (x86)\Java\jre1.8.0_91\bin\java.exe
C:\Program Files (x86)\Java\jre1.8.0_91\bin\client\jvm.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\server\jvm.dll
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\desktop.ini
C:\Users\user\AppData\Local\Temp\e8f8b51272397f871c898e27bfbb9f116859e587.html
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\e8f8b51272397f871c898e27bfbb9f116859e587.html:Zone.Identifier
C:\Windows\WindowsShell.manifest
\??\Nsi
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1233B8D21D2ECB0483D16253D1FF3964BD09EF0C
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\16B1DD478BCE71A0FB1822E8F4F30AB467BBEFD4
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2064A97B987412930E2994D60AE7EB72D89BC4F7
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\37998502C2CC1852F8774DAF543DD76D10D6FD93
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\418C30DD41197CBAABF21675F8559794F5551115 Page 6
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\44E5AE16D06F9FBB92D6D9444B5C65C0F331D0EC
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4FDDCB932603534677ECAE8C7D0FD914FD443E83
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5D247FE955609769879FB1DD016537EEF650B8EC
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6A8C669D7D1D5759CE7C1E0C5BE286257C31F366
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\744CDF45BF43EF285758286CAC89AF786F938342
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\761F091EA5F80A98B0D89734231D300CF9C027E8
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7A5F1A5DE6AA551C795CC508128C6D894FA2C502
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8291DA84F9266F6D0ED367AF8BE3FA722529EB91
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\871E3CD70B6F8EE3C1E7BE4C7BEF4FFCCE673E32
READ REGISTRY KEYS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPOff
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\LuaOffLoRIEOn
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\DetourDialogs
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AcRedir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US Page 7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabShutdownDelay
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\ServerFreezeOnUpload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Attributes Page 8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\InitFolderHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd- 806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
MODIFIED FILES
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Page 9
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\864213505-ieretrofit[1].js
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\2727757643-css_bundle_v2[1].css
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\authorization[1].css
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_003C74F91492339E26043FF88C076638
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_003C74F91492339E26043FF88C076638
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\01B16CDBADE7DB774141D7E30D50EC69
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDBADE7DB774141D7E30D50EC69
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_F57178D9F7B90859A3F775EE4081F34D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_F57178D9F7B90859A3F775EE4081F34D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\share_buttons_20_3[1].png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\f[1].txt
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0D3JCK2E\icon18_wrench_allbkg[1].png
\??\VBoxMiniRdrDN
\??\UNC\www.facebook.com\PIPE\srvsvc
\??\PIPE\DAV RPC SERVICE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6P3SCP6\dnserror[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0D3JCK2E\ErrorPageTemplate[1]
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\errorPageStrings[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6P3SCP6\httpErrorPagesScripts[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\noConnect[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0D3JCK2E\background_gradient[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\down[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6P3SCP6\favcenter[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\tools[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0D3JCK2E\dnserror[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6P3SCP6\errorPageStrings[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\httpErrorPagesScripts[1]
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120320181204\index.dat
RESOLVED APIS advapi32.dll.EventWrite advapi32.dll.EventRegister Page 10
advapi32.dll.EventUnregister kernel32.dll.InitializeSRWLock kernel32.dll.AcquireSRWLockExclusive kernel32.dll.AcquireSRWLockShared kernel32.dll.ReleaseSRWLockExclusive kernel32.dll.ReleaseSRWLockShared kernel32.dll.SetProcessDEPPolicy user32.dll.SetProcessDPIAware shell32.dll.SetCurrentProcessExplicitAppUserModelID user32.dll.GetShellWindow user32.dll.GetWindowThreadProcessId kernel32.dll.SortGetHandle kernel32.dll.SortCloseHandle ieframe.dll.#251 kernel32.dll.WerSetFlags comctl32.dll.PropertySheetW comctl32.dll.PropertySheetA comdlg32.dll.PageSetupDlgW comdlg32.dll.PrintDlgW ieshims.dll.IEShims_Initialize kernel32.dll.VirtualProtect user32.dll.SetWindowsHookExW user32.dll.FindWindowExA kernel32.dll.WaitForSingleObject kernel32.dll.CreateProcessW kernel32.dll.CreateProcessA advapi32.dll.RegQueryValueA ntdll.dll.LdrRegisterDllNotification ole32.dll.CoGetApartmentType ole32.dll.CoTaskMemFree comctl32.dll.#236 oleaut32.dll.#6 ole32.dll.CoTaskMemAlloc ole32.dll.CoGetMalloc cryptbase.dll.SystemFunction036 Page 11
uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware kernel32.dll.WerRegisterMemoryBlock kernel32.dll.WerUnregisterMemoryBlock user32.dll.RegisterWindowMessageW rpcrt4.dll.RpcServerUseProtseqW rpcrt4.dll.RpcServerRegisterIfEx rpcrtremote.dll.I_RpcExtInitializeExtensionPoint rpcrt4.dll.RpcServerInqBindings rpcrt4.dll.RpcEpRegisterW rpcrt4.dll.RpcServerListen shell32.dll.SHGetInstanceExplorer user32.dll.RegisterClassExW user32.dll.CreateWindowExW user32.dll.DefWindowProcW user32.dll.SetWindowLongW ole32.dll.CoInitializeEx user32.dll.MsgWaitForMultipleObjectsEx dwmapi.dll.DwmIsCompositionEnabled urlmon.dll.#400 shell32.dll.SHGetFolderPathW advapi32.dll.TraceMessage advapi32.dll.TraceMessageVa kernel32.dll.IsWow64Process sqmapi.dll.SqmGetSession sqmapi.dll.SqmEndSession sqmapi.dll.SqmStartSession sqmapi.dll.SqmStartUpload sqmapi.dll.SqmWaitForUploadComplete sqmapi.dll.SqmSet sqmapi.dll.SqmSetBool sqmapi.dll.SqmSetBits sqmapi.dll.SqmSetString sqmapi.dll.SqmIncrement sqmapi.dll.SqmSetIfMax Page 12
sqmapi.dll.SqmSetIfMin sqmapi.dll.SqmAddToAverage sqmapi.dll.SqmAddToStreamDWord sqmapi.dll.SqmAddToStreamString
DELETED FILES
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\authorization[1].css
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6P3SCP6\dnserror[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\errorPageStrings[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6P3SCP6\httpErrorPagesScripts[1]
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016042520160426\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016042520160426\
REGISTRY KEYS
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPOff
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Page 13
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\LuaOffLoRIEOn
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\DetourDialogs
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\New Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AcRedir
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide Page 14
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabShutdownDelay
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\ServerFreezeOnUpload
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SQM
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD- 30B759FA33DD}\RelativePath
READ FILES
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files (x86)\Internet Explorer\IEShims.dll
C:\Windows\SysWOW64\shell32.dll
\Device\KsecDD
C:\Program Files (x86)\Internet Explorer\sqmapi.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000004b.db
C:\Users\desktop.ini
C:\Users Page 15
C:\Users\user
C:\Users\user\Favorites\desktop.ini
C:\Users\user\Desktop\desktop.ini
C:\Program Files (x86)\Internet Explorer\ieproxy.dll
C:\Windows\Fonts\staticcache.dat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Windows\AppPatch\sysmain.sdb
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\
C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\msvcr100.dll
C:\Program Files (x86)\Java\jre1.8.0_91\bin\deploy.dll
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
C:\Users\user\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\user\AppData\Local\Temp\e8f8b51272397f871c898e27bfbb9f116859e587.html
C:\Windows\WindowsShell.manifest
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1233B8D21D2ECB0483D16253D1FF3964BD09EF0C
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\16B1DD478BCE71A0FB1822E8F4F30AB467BBEFD4
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2064A97B987412930E2994D60AE7EB72D89BC4F7
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\37998502C2CC1852F8774DAF543DD76D10D6FD93
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\418C30DD41197CBAABF21675F8559794F5551115
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\44E5AE16D06F9FBB92D6D9444B5C65C0F331D0EC
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4FDDCB932603534677ECAE8C7D0FD914FD443E83
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5D247FE955609769879FB1DD016537EEF650B8EC
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6A8C669D7D1D5759CE7C1E0C5BE286257C31F366
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\744CDF45BF43EF285758286CAC89AF786F938342
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\761F091EA5F80A98B0D89734231D300CF9C027E8
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7A5F1A5DE6AA551C795CC508128C6D894FA2C502
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8291DA84F9266F6D0ED367AF8BE3FA722529EB91
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\871E3CD70B6F8EE3C1E7BE4C7BEF4FFCCE673E32
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8A82FE0617F4170E0BF052CF6BABFC628DA51919
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8B943CF0CAEF7F6F04E98C9405960323B23C516D
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\9317D002FC43BDA932B8397B6E729B83D48EEB8D Page 16
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\95EEF9A37407C5B87BCF95D69B01DCFDAFD07635
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A092A81885DDD5AAD1EC1A803D7183779D81B6F9
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BAED8A8C5A147CFA78E686BB4A8E5829C2F934F5
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C8A51E044BF5AF39158BB24E414E8FDCD2891C3A
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB45378AB288E369B22C860D123A809F530D5CC1
C:\Windows\System32\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\864213505-ieretrofit[1].js
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFPXO29L\2727757643-css_bundle_v2[1].css
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\authorization[1].css
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_003C74F91492339E26043FF88C076638
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\01B16CDBADE7DB774141D7E30D50EC69
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_F57178D9F7B90859A3F775EE4081F34D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_003C74F91492339E26043FF88C076638
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDBADE7DB774141D7E30D50EC69
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_F57178D9F7B90859A3F775EE4081F34D
C:\Windows\System32\en-US\MLANG.dll.mui
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8W72H2L\f[1].txt
C:\Windows\System32\NetworkExplorer.dll
C:\Windows\System32\
C:\Windows\System32\networkexplorer.dll
\??\VBoxMiniRdrDN
\Device\RdpDr\;:1\www.facebook.com\plugins
MUTEXES
Local\WininetStartupMutex
Local\c:!users!user!appdata!local!microsoft!feeds cache! Page 17
Local\ZonesCounterMutex
Local\!BrowserEmulation!SharedMemory!Mutex
Local\!IETld!Mutex
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
IESQMMUTEX_0_208
ConnHashTable<2140>_HashTable_Mutex
Local\c:!users!user!appdata!roaming!microsoft!windows!privacie!
_!SHMSFTHISTORY!_
Local\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012018120320181204!
MODIFIED REGISTRY KEYS
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\LoadTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\LoadTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA08-2243-4725-9430- A8A2D5F46E6B}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA08-2243-4725-9430-A8A2D5F46E6B}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA08-2243-4725-9430-A8A2D5F46E6B}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA08-2243-4725-9430- A8A2D5F46E6B}\WpadNetworkName Page 18
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
HKEY_CLASSES_ROOT\.mhtml\OpenWithList\WINWORD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\Last
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120320181204
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120320181204\CachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120320181204\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120320181204\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120320181204\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120320181204\CacheRepair
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version Page 19
Network Behavior
CONTACTED IPS NETWORK PORT DISTRIBUTION
6.7% 5355 (UDP) 41.48% 14.8% 443 (TCP) 6.67% 41.5% 53 (UDP) 14.81% 137 (UDP) 2.22% 3702 (UDP) 0.74% 80 (TCP) 33.33% 138 (UDP) 0.74%
33.3%
Name IP Country ASN ASN Name Trigger Process Type
172.217.5.233 United States 15169 Google LLC Malware Process
8.8.4.4 United States 15169 Level 3 Parent, LLC Malware Process
151.101.2.133 United States 54113 Fastly Malware Process
172.217.5.238 United States 15169 Google LLC Malware Process
216.58.217.78 United States 15169 Google LLC Malware Process
216.58.218.226 United States 15169 Google LLC Malware Process
23.215.131.200 United States 20940 Akamai Technologies, Inc. OS Process
31.13.86.36 Ireland 32934 Facebook Malware Process
8.250.131.254 United States 3356 Level 3 Parent, LLC OS Process
8.253.141.120 United States 3356 Level 3 Parent, LLC OS Process
8.253.154.107 United States 3356 Level 3 Parent, LLC OS Process
www.facebook.com 31.13.71.36 Ireland 32934 Facebook Malware Process
apis.google.com 172.217.7.14 United States 15169 Google LLC Malware Process
ctldl.windowsupdate.com 8.253.140.119 United States 3356 Level 3 Parent, LLC OS Process
crl.pki.goog 172.217.10.110 United States 15169 Google LLC Malware Process
resources.blogblog.com 172.217.12.137 United States 15169 Google LLC Malware Process
www.blogger.com 172.217.10.41 United States 15169 Google LLC Malware Process
crl.microsoft.com 23.215.131.203 United States 20940 Akamai Technologies, Inc. OS Process
www.blogblog.com 172.217.11.41 United States 15169 Google LLC Malware Process
ocsp.pki.goog 216.58.219.206 United States 15169 Google LLC Malware Process
crl.globalsign.net 151.101.22.133 United States 54113 Fastly Malware Process
pagead2.googlesyndication.com 172.217.10.130 United States 15169 Google LLC Malware Process Page 20
HTTP PACKETS
Host Port Method Version User Agent Count Call Time During Execution(Sec)
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 15.7578618526
Path: /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7f44f9783f0124d2 URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7f44f9783f0124d2
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 15.7597539425
Path: /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?276389bb9de752f9 URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?276389bb9de752f9
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 15.7669107914
Path: /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4ad08ef4382e44ff URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4ad08ef4382e44ff
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 20.9838647842
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c04f5ffcb19344f URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c04f5ffcb19344f
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 20.9851858616
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?d10f4abe5f06b2da URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d10f4abe5f06b2da
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 21.0640039444
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?922ede3246903412 URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?922ede3246903412
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 26.2053258419
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6422265d95945eca URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6422265d95945eca
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 26.2057898045
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?0e9e99ed3ac5629d URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0e9e99ed3ac5629d
ctldl.windowsupdate.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 26.2328488827
Path: /msdownload/update/v3/static/trustedr/en/authrootstl.cab?731de17522b84d08 URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?731de17522b84d08
ocsp.pki.goog 80 GET 1.1 Microsoft-CryptoAPI/6.1 3 31.5475540161
Path: /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D URI: http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD %2BaUx0%3D
ocsp.pki.goog 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 36.7546539307
Path: /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCHrmkIULE%2FKT URI: http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCHrmkIULE% 2FKT
crl.pki.goog 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 36.7888789177
Path: /GTSGIAG3.crl URI: http://crl.pki.goog/GTSGIAG3.crl Page 21
Host Port Method Version User Agent Count Call Time During Execution(Sec) ocsp.pki.goog 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 37.0006408691
Path: /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCBe4UsufcEmg URI: http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCBe4UsufcEm g pagead2.googlesyndication.com 80 GET 1.1 Mozilla/4.0 (compatible; M… 1 53.4855690002
Path: /pagead/show_ads.js URI: http://pagead2.googlesyndication.com/pagead/show_ads.js crl.microsoft.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 58.9477829933
Path: /pki/crl/products/tspca.crl URI: http://crl.microsoft.com/pki/crl/products/tspca.crl crl.microsoft.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 64.0828018188
Path: /pki/crl/products/CodeSignPCA2.crl URI: http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl crl.microsoft.com 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 69.2197217941
Path: /pki/crl/products/WinPCA.crl URI: http://crl.microsoft.com/pki/crl/products/WinPCA.crl crl.globalsign.net 80 GET 1.1 Microsoft-CryptoAPI/6.1 1 74.4083809853
Path: /primobject.crl URI: http://crl.globalsign.net/primobject.crl www.facebook.com 80 OPTIONS 1.1 DavClnt 1 77.4678738117
Path: / URI: http://www.facebook.com/ www.facebook.com 80 OPTIONS 1.1 Microsoft-WebDAV-MiniR… 1 83.5652937889
Path: /plugins URI: http://www.facebook.com/plugins www.facebook.com 80 PROPFIND 1.1 Microsoft-WebDAV-MiniR… 6 86.424202919
Path: /plugins URI: http://www.facebook.com/plugins www.facebook.com 80 PROPFIND 1.1 Microsoft-WebDAV-MiniR… 2 102.926218987
Path: /plugins/likebox.php URI: http://www.facebook.com/plugins/likebox.php www.blogger.com 80 OPTIONS 1.1 Microsoft-WebDAV-MiniR… 1 150.584205866
Path: /img/logo-16.png URI: http://www.blogger.com/img/logo-16.png www.blogger.com 80 PROPFIND 1.1 Microsoft-WebDAV-MiniR… 1 153.17628479
Path: /img/logo-16.png URI: http://www.blogger.com/img/logo-16.png www.blogger.com 80 PROPFIND 1.1 Microsoft-WebDAV-MiniR… 1 155.771066904
Path: /img URI: http://www.blogger.com/img www.facebook.com 80 GET 1.1 Mozilla/4.0 (compatible; M… 1 155.892123938 Page 22
Host Port Method Version User Agent Count Call Time During Execution(Sec)
Path: /plugins/like.php?href=http://www.facebook.com/urweddingTV? ref=hl&layout=button_count&show_faces=false&width=50&%20action%20=%20like%20&colorscheme=light&height=21 URI: http://www.facebook.com/plugins/like.php?href=http://www.facebook.com/urweddingTV? ref=hl&layout=button_count&show_faces=false&width=50&%20action%20=%20like%20&colorscheme=light&height=21
DNS QUERIES
Request Type
www.blogger.com A
Answers - 172.217.5.233 (A) - blogger.l.google.com (CNAME)
apis.google.com A
Answers - 216.58.217.78 (A) - plus.l.google.com (CNAME)
ctldl.windowsupdate.com A
Answers - 8.250.99.254 (A) - audownload.windowsupdate.nsatc.net (CNAME) - 8.248.221.254 (A) - 8.250.91.254 (A) - 8.250.131.254 (A) - auto.au.download.windowsupdate.com.c.footprint.net (CNAME) - 8.253.154.107 (A) - opau.download.windowsupdate.com.c.footprint.net (CNAME) - 8.248.217.254 (A) - 8.253.141.121 (A) - 8.250.109.254 (A) - 8.253.157.121 (A) - 8.250.103.254 (A) - 8.253.141.120 (A) - 8.253.141.248 (A) - 8.253.141.249 (A) - 8.253.140.118 (A)
ocsp.pki.goog A
Answers - 172.217.5.238 (A) - www3.l.google.com (CNAME)
resources.blogblog.com A
www.blogblog.com A
crl.pki.goog A
pagead2.googlesyndication.com A
Answers - pagead46.l.doubleclick.net (CNAME) - 216.58.218.226 (A)
blog.urweddingtv.com A
Answers - (NXDOMAIN) Page 23
Request Type www.facebook.com A
Answers - 31.13.86.36 (A) - star-mini.c10r.facebook.com (CNAME) - 31.13.71.36 (A) crl.microsoft.com A
Answers - crl.www.ms.akadns.net (CNAME) - 23.215.131.200 (A) - 23.215.131.195 (A) - a1363.dscg.akamai.net (CNAME) crl.globalsign.net A
Answers - 151.101.66.133 (A) - 151.101.2.133 (A) - global.prd.cdn.globalsign.com (CNAME) - 151.101.194.133 (A) - 151.101.130.133 (A) - prod.globalsign.map.fastly.net (CNAME) Page 24
TCP PACKETS
Call Time During Execution(sec) Source IP Dest IP Dest Port
9.93462586403 Sandbox 172.217.5.233 443
9.93490695953 Sandbox 172.217.5.233 443
9.93511080742 Sandbox 216.58.217.78 443
15.7578618526 Sandbox 8.250.131.254 80
15.7597539425 Sandbox 8.253.154.107 80
15.7669107914 Sandbox 8.253.141.120 80
20.9838647842 Sandbox 8.250.131.254 80
20.9851858616 Sandbox 8.250.131.254 80
26.2328488827 Sandbox 8.250.131.254 80
31.5475540161 Sandbox 172.217.5.238 80
31.8169429302 Sandbox 172.217.5.238 80
31.8338208199 Sandbox 172.217.5.238 80
31.9076359272 Sandbox 172.217.5.233 443
31.9079298973 Sandbox 172.217.5.233 443
32.1482658386 Sandbox 172.217.5.233 443
32.380614996 Sandbox 172.217.5.233 443
36.7546539307 Sandbox 172.217.5.238 80
36.7888789177 Sandbox 216.58.217.78 80
53.4669878483 Sandbox 172.217.5.233 443
53.4855690002 Sandbox 216.58.218.226 80
53.4877979755 Sandbox 172.217.5.233 443
58.9477829933 Sandbox 23.215.131.200 80
74.4083809853 Sandbox 151.101.2.133 80
77.4678738117 Sandbox 31.13.86.36 80
83.5652937889 Sandbox 31.13.86.36 80
86.424202919 Sandbox 31.13.86.36 80
150.584205866 Sandbox 172.217.5.233 80
155.892123938 Sandbox 31.13.71.36 80
UDP PACKETS
Call Time During Execution(sec) Source IP Dest IP Dest Port
3.02416396141 Sandbox 224.0.0.252 5355
3.0271627903 Sandbox 224.0.0.252 5355
3.03204679489 Sandbox 239.255.255.250 3702
3.08137798309 Sandbox 192.168.56.255 137 Page 25
Call Time During Execution(sec) Source IP Dest IP Dest Port
5.58051395416 Sandbox 224.0.0.252 5355
6.43296980858 Sandbox 224.0.0.252 5355
7.25699281693 Sandbox 224.0.0.252 5355
9.07958483696 Sandbox 192.168.56.255 138
9.83240580559 Sandbox 8.8.4.4 53
9.83281779289 Sandbox 8.8.4.4 53
10.1607840061 Sandbox 224.0.0.252 5355
10.1634337902 Sandbox 224.0.0.252 5355
10.1664559841 Sandbox 224.0.0.252 5355
13.1295778751 Sandbox 224.0.0.252 5355
13.1298658848 Sandbox 224.0.0.252 5355
13.1300859451 Sandbox 224.0.0.252 5355
15.6921098232 Sandbox 8.8.4.4 53
15.6925299168 Sandbox 8.8.4.4 53
15.6928889751 Sandbox 8.8.4.4 53
15.8345599174 Sandbox 224.0.0.252 5355
15.8412919044 Sandbox 224.0.0.252 5355
15.9463498592 Sandbox 224.0.0.252 5355
18.4128398895 Sandbox 224.0.0.252 5355
18.4183108807 Sandbox 224.0.0.252 5355
18.5127429962 Sandbox 224.0.0.252 5355
21.0541849136 Sandbox 224.0.0.252 5355
21.0620880127 Sandbox 224.0.0.252 5355
21.1041908264 Sandbox 224.0.0.252 5355
23.6408720016 Sandbox 224.0.0.252 5355
23.6415829659 Sandbox 224.0.0.252 5355
23.6687428951 Sandbox 224.0.0.252 5355
26.3824768066 Sandbox 224.0.0.252 5355
26.6845378876 Sandbox 224.0.0.252 5355
26.696616888 Sandbox 224.0.0.252 5355
28.9509828091 Sandbox 224.0.0.252 5355
29.2426068783 Sandbox 224.0.0.252 5355
29.2598829269 Sandbox 224.0.0.252 5355
31.5021548271 Sandbox 8.8.4.4 53
31.6012148857 Sandbox 224.0.0.252 5355
31.6073899269 Sandbox 224.0.0.252 5355
31.887362957 Sandbox 224.0.0.252 5355 Page 26
Call Time During Execution(sec) Source IP Dest IP Dest Port
32.33481884 Sandbox 8.8.4.4 53
32.3385229111 Sandbox 8.8.4.4 53
34.1738247871 Sandbox 224.0.0.252 5355
34.1740980148 Sandbox 224.0.0.252 5355
34.4481258392 Sandbox 224.0.0.252 5355
35.7033848763 Sandbox 8.8.4.4 53
35.7510409355 Sandbox 172.217.5.233 137
36.736027956 Sandbox 8.8.4.4 53
53.4392869473 Sandbox 8.8.4.4 53
53.4676659107 Sandbox 8.8.4.4 53
53.6838078499 Sandbox 224.0.0.252 5355
53.7075870037 Sandbox 8.8.4.4 53
56.2485239506 Sandbox 224.0.0.252 5355
57.0803029537 Sandbox 8.8.4.4 53
57.1287448406 Sandbox 31.13.71.36 137
58.7979619503 Sandbox 8.8.4.4 53
58.9658908844 Sandbox 224.0.0.252 5355
61.525331974 Sandbox 224.0.0.252 5355
64.1044688225 Sandbox 224.0.0.252 5355
66.6659178734 Sandbox 224.0.0.252 5355
69.2419610023 Sandbox 224.0.0.252 5355
71.8076758385 Sandbox 224.0.0.252 5355
74.3605690002 Sandbox 8.8.4.4 53
74.7969110012 Sandbox 224.0.0.252 5355
80.8756999969 Sandbox 224.0.0.252 5355
83.7416229248 Sandbox 224.0.0.252 5355
86.6578710079 Sandbox 224.0.0.252 5355
89.4086120129 Sandbox 224.0.0.252 5355
92.1449978352 Sandbox 224.0.0.252 5355
94.8975667953 Sandbox 224.0.0.252 5355
97.6408479214 Sandbox 224.0.0.252 5355
100.373844862 Sandbox 224.0.0.252 5355
103.105217934 Sandbox 224.0.0.252 5355
105.831234932 Sandbox 8.8.4.4 53
109.188574791 Sandbox 8.8.4.4 53
130.312829971 Sandbox 8.8.4.4 53
148.009897947 Sandbox 224.0.0.252 5355 Page 27
Call Time During Execution(sec) Source IP Dest IP Dest Port
150.624585867 Sandbox 224.0.0.252 5355
153.203905821 Sandbox 224.0.0.252 5355
155.851692915 Sandbox 8.8.4.4 53 Page 28
DETAILED FILE INFO
CREATED / DROPPED FILES
FILE PATH TYPE AND HASHES
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : very short file (no magic) nt.IE5\U8W72H2L\Authorization[1].Css MD5 : 68b329da9893e34099c7d8ad5cb9c940 SHA-1 : adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SHA-256 : 01ba4719c80b6fe911b091a7c05124b64eeece964… SHA-512 : be688838ca8686e5c90689bf2ab585cef1137c999… Size : 0.001 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : PNG image data, 16 x 16, 8-bit/color RGBA, non- nt.IE5\K6P3SCP6\Favcenter[1] interlaced MD5 : 25d76ee5fb5b890f2cc022d94a42fe19 SHA-1 : 62c180ec01ff2c30396fb1601004123f56b10d2f SHA-256 : 07d07a467e4988d3c377acd6dc9e53abca6b64e8… SHA-512 : 28a82e06f8c59d637630d0426950b0b0a9c3e553… Size : 3.366 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ Type : Composite Document File V2 Document, No 26505E1E-F658-11E8-BFC1-08002761E52B}.Dat summary info MD5 : 4f4fdddfb38b332b95c7661701e318db SHA-1 : eaedd13babe9fea234befc949fb622656ca28753 SHA-256 : 045add889323455afa3304903be951bcd0dd9a3b… SHA-512 : 8f08643ddf7cf1dc960080287d4cafccab0455bfeb… Size : 6.656 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8ED Type : data B95DF3F0AD4EE2DC2B8CFD4157 MD5 : ae749a0c4babacf35541d47b19dfb91c SHA-1 : fe864cceec9918dac8a23c0953b20d5736133450 SHA-256 : 6e57191b5954ac395988d5d7e93f672f78b532369… SHA-512 : 43e4d2a4f03e1395d87c33a18fd91ab1fff7431e4d… Size : 0.342 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : PNG image data, 16 x 16, 8-bit/color RGBA, non- nt.IE5\U8W72H2L\Tools[1] interlaced MD5 : 6f20ba58551e13cfd87ec059327effd0 SHA-1 : b326a89ee587636bad7ad52aa944dc314fc6a6e2 SHA-256 : 62a7038cc42c1482d70465192318f21fc1ce0f0c73… SHA-512 : 7fd273080b9ab234576d61233ec62b0e02506e99… Size : 3.56 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB9 Type : Microsoft Cabinet archive data, 6570 bytes, 1 file 5DF3F0AD4EE2DC2B8CFD4157 MD5 : 99bfefb3d6047523a3eee330774e4bf5 SHA-1 : 867798b42e1656b6a85d09b7cfa36013f5b317f4 SHA-256 : 05890f86fdc9101366410a7d0c8c10cf510cdecc3f1… SHA-512 : df997fa2e6e228949ef7bacd52411b550324b22fff… Size : 6.57 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BD Type : Microsoft Cabinet archive data, 55745 bytes, 1 file A74BD0D0E0426DC8F8008506 MD5 : 2af3e4b57a8b637fcee8cb7485986fa3 SHA-1 : 4c31cedff6e2e366085c2793997357bc08bce9a1 SHA-256 : 10632f5e8df34d4641f11aa0ad917a629bf75f7c0e… SHA-512 : 3df74ff25fe90543f3fd74643d6a4e80f637feb5dd6… Size : 55.745 Kilobytes. Page 29
FILE PATH TYPE AND HASHES
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : PNG image data, 15 x 15, 8-bit/color RGBA, non- nt.IE5\JFPXO29L\Down[1] interlaced MD5 : 555e83ce7f5d280d7454af334571fb25 SHA-1 : 47f78f68d72e3d9041acc9107a6b0d665f408385 SHA-256 : 70f316a5492848bb8242d49539468830b353ddaa… SHA-512 : 021f2f0da228a23826cfddf2898e2b63787b3be2d… Size : 3.414 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A Type : data 94D4D2B4465D8F17E2BB2D351_F57178D9F7B90859A3F775EE4081F34D MD5 : 2d55cc293f3b42a6b0d874a9541c9da4 SHA-1 : fdd2c7ecdc613820937574f03d20b91feff64885 SHA-256 : 3e1354e774db2bbafa34e994d7afa4030d413563… SHA-512 : 67e17a04a381d3276d81e98a30a481a7d13fe546… Size : 0.382 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86D Type : data BBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821 MD5 : d0ba9b607bd6cb70b68686432739cbc5 SHA-1 : 6869d2f872df95a2173e5a3b596502a6a9066c9f SHA-256 : ba08293f8d2e9e683ba89913cff1448e370add18f… SHA-512 : 263f3bee4cfd0e72f81595dcb9a2d10a4a1980896… Size : 0.402 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist01201 Type : Internet Explorer cache file version Ver 5.2 8120320181204\Index.Dat MD5 : f531fd912d87d33466e9ca42a6befe09 SHA-1 : a5d7b5a578915ba0fcd6e60ea98669d47df2c8a7 SHA-256 : 7594863b651cff5d8facbb479e593d7b32df81954… SHA-512 : ecee2a966f756611f53abb33b1b10b76a4e2298ab… Size : 32.768 Kilobytes.
C:\Users\User\AppData\Roaming\Microsoft\Windows\PrivacIE\Index.Dat Type : Internet Explorer cache file version Ver 5.2 MD5 : 6aea4ff23a31bb4904ad6b942cd7f6a1 SHA-1 : 202fc0c09d2290aa448295fb0c8454facd626b1c SHA-256 : 1508f58c461fae8c8bb3c20df8d44466ff62019039… SHA-512 : e6909b511168b05282a8ce9c10ef72e45e2efd726… Size : 49.152 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : JPEG image data, JFIF standard 1.02 nt.IE5\0D3JCK2E\Background_gradient[1] MD5 : 20f0110ed5e4e0d5384a496e4880139b SHA-1 : 51f5fc61d8bf19100df0f8aadaa57fcd9c086255 SHA-256 : 1471693be91e53c2640fe7baeecbc624530b08844… SHA-512 : 5f52c117e346111d99d3b642926139178a80b9ec… Size : 0.453 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : ASCII text, with very long lines nt.IE5\U8W72H2L\F[1].Txt MD5 : cdddc37d4eeb12c88a41753bb39fda96 SHA-1 : 311561986a747f6d21fb65322dddf57ab0102eda SHA-256 : 28011165ac7cfe7054856520675a0fa63e7f5a3b17… SHA-512 : f4125122c105689592a478d54fb6951fa05203982… Size : 60.676 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63B Type : data DA74BD0D0E0426DC8F8008506 MD5 : 77261b51149bfa986d4740c23f9f0eeb SHA-1 : 222294db8e1569f3be73e58ad0629a696cc65ad4 SHA-256 : 7d4262f444cfd5f985be0d28fbeab5da6977d01f2… SHA-512 : 04ea43bda7ece0514577ec9268ed31110d450869… Size : 0.328 Kilobytes. Page 30
FILE PATH TYPE AND HASHES
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : UTF-8 Unicode (with BOM) text, with CRLF, CR line nt.IE5\K6P3SCP6\HttpErrorPagesScripts[1] terminators C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte MD5 : e7ca76a3c9ee0564471671d500e3f0f3 nt.IE5\JFPXO29L\HttpErrorPagesScripts[1] SHA-1 : fe815ae0f865ec4c26e421bf0bd21bb09bc6f410 SHA-256 : 58268ca71a28973b756a48bbd7c9dc2f6b87b62a… SHA-512 : 40d33112debdd440f169d3a62b06607afa94c459… Size : 8.601 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A Type : data 94D4D2B4465D8F17E2BB2D351_003C74F91492339E26043FF88C076638 MD5 : 9d6aea409d7b8a445a58a55af3474f5a SHA-1 : 7252806cd19041946e27739d37d7da34a7ae71c0 SHA-256 : f16769e1eba4d25e47708be82eac080fca477a398… SHA-512 : 5947ee51b0e88cc016af9e098ca8d6f46ac6944a8… Size : 0.386 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : PNG image data, 18 x 18, 8-bit colormap, non- nt.IE5\0D3JCK2E\Icon18_wrench_allbkg[1].Png interlaced MD5 : f617effe6d96c15acfea8b2e8aae551f SHA-1 : 6d676af11ad2e84b620cce4d5992b657cb2d8ab6 SHA-256 : d172d750493be64a7ed84dec1dd2a0d787ba42f7… SHA-512 : 3189a6281ad065848afc700a47bea885cd3905da… Size : 0.475 Kilobytes.
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Index.Dat Type : Internet Explorer cache file version Ver 5.2 MD5 : 2ed7b584633888df7f0114fa4ac6dc69 SHA-1 : fa8067b3241b8d9258d9fc88f5bd80fca5433b10 SHA-256 : 69a0d29dc846c82d785231dbf94e4c4b731ad588… SHA-512 : 678165bd37def22a10615aded1384e97413fce1fb… Size : 32.768 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : PNG image data, 120 x 60, 8-bit/color RGBA, non- nt.IE5\U8W72H2L\Share_buttons_20_3[1].Png interlaced MD5 : ad9999106d5f550920b586e8e1704e5a SHA-1 : 93fd02c51166402a41f96509cd0ca3fb917877dd SHA-256 : 3829a5b2ade7cfc416c80b8f3df71e49e68672875… SHA-512 : de6552632f76a64c26fc0f27cce741fbb383d60c62… Size : 5.08 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\History\History.IE5\Index.Dat Type : Internet Explorer cache file version Ver 5.2 MD5 : cdc963edee9c2710bfedff9255e13196 SHA-1 : abad91dea15971f314d8d97b084414ece9d26310 SHA-256 : 6a4558a3a897f74d6266f6e764bc4ecfa44bc07be… SHA-512 : 3423203f468df6939e7052dceccbdad997e85dfe7… Size : 49.152 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : UTF-8 Unicode (with BOM) text, with CRLF line nt.IE5\0D3JCK2E\ErrorPageTemplate[1] terminators MD5 : f4fe1cb77e758e1ba56b8a8ec20417c5 SHA-1 : f4eda06901edb98633a686b11d02f4925f827bf0 SHA-256 : 8d018639281b33da8eb3ce0b21d11e1d414e590… SHA-512 : 62514ab345b6648c5442200a8e9530dfb88a0355… Size : 2.168 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDB Type : data ADE7DB774141D7E30D50EC69 MD5 : 20161fc9a7f9a82ec0d2715dae1a8452 SHA-1 : 4a15aac1ee876b08f224d7996aa195417e908f4a SHA-256 : 186c69931d2a85d50e96f98fabe1f2bae04ecd0c5… SHA-512 : fee444001c166e777053127ff0650ed2367e2c8b7d… Size : 0.593 Kilobytes. Page 31
FILE PATH TYPE AND HASHES
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : ASCII text, with very long lines nt.IE5\JFPXO29L\864213505-Ieretrofit[1].Js MD5 : 364501e083769dd2522bd01655bf399d SHA-1 : 2d4ba7b0e65a955dd6d679ed83517801418a10a8 SHA-256 : 0c20a9ce611e3ee5b32f6ff83f04d64ec7cfe867139… SHA-512 : dc0b992908deff9f736ded2fb50e8ce0ef183ede4c… Size : 36.707 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : UTF-8 Unicode (with BOM) text, with CRLF line nt.IE5\JFPXO29L\ErrorPageStrings[1] terminators C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte MD5 : 1a0563f7fb85a678771450b131ed66fd nt.IE5\K6P3SCP6\ErrorPageStrings[1] SHA-1 : a6d24e8a1ffd7e6fc0d1ecd00e67eb72425019a7 SHA-256 : eb5678de9d8f29ca6893d4e6ca79bd5ab4f31281… SHA-512 : 4f68d0f0c897ce4c751d5b7b51e7fb9ea31e0c064… Size : 1.817 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : HTML document, UTF-8 Unicode (with BOM) text, nt.IE5\K6P3SCP6\Dnserror[1] with CRLF line terminators C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte MD5 : 68e03ed57ec741a4afbbcd11fab1bdbe nt.IE5\0D3JCK2E\Dnserror[1] SHA-1 : 250c965d7f4eb882d2289706a6c66e2b8976c1a8 SHA-256 : 1ff3334c3eb27033f8f37029fd72f648edd4551fce8… SHA-512 : 60ea2052fa47781c1c9c09512f2bebeee4704efe44… Size : 5.947 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : PNG image data, 48 x 48, 8-bit/color RGBA, non- nt.IE5\U8W72H2L\NoConnect[1] interlaced MD5 : 3cb8faccd5de434d415ab75c17e8fd86 SHA-1 : 098b04b7237860874db38b22830387937aeb5073 SHA-256 : 6976c426e3ac66d66303c114b22b2b41109a7de6… SHA-512 : e307d058de7d1168f0f0f5e51657091f956af310dc… Size : 8.23 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Feeds Cache\Index.Dat Type : Internet Explorer cache file version Ver 5.2 MD5 : 3e5ddabe53f537bb917138b79e28e6e7 SHA-1 : 7dac8bae102d9252a0c912a4ff6a42295ec1e8fe SHA-256 : 921a68e66c33e22dba1677e4a0a7a1367c54108e… SHA-512 : eecbc6736703384c56642f4fa602e8a8673ed70f6c… Size : 32.768 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94 Type : data D4D2B4465D8F17E2BB2D351_003C74F91492339E26043FF88C076638 MD5 : 9b6d8efc6198db9e3375abed60397950 SHA-1 : 4925b7d0af33cd067c93b4d9ef4aebead63484a9 SHA-256 : 8baa1fe76d6e93884fcd2ac29ad9476a2e3d5c5a3… SHA-512 : 3b6521c1a4cf30ae06926bb350bfeff5e7b9413010… Size : 0.463 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBB Type : data E02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821 MD5 : d9d754520ae3340aa37cca6115eee05b SHA-1 : a0320372760d99c762cb2eb4b37f776625ef1b33 SHA-256 : 7dc8284c51c9a38dc1bf03bd28857ea5336e8f5c5… SHA-512 : 440f6a9ea2ce5ecd1fd7cb3d122a6f5f108550d71a… Size : 0.468 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94 Type : data D4D2B4465D8F17E2BB2D351_F57178D9F7B90859A3F775EE4081F34D MD5 : 0f8b3e3b52e5e4c1e0adb59c075abcb6 SHA-1 : 2f3596976175efb087a121f48aad36087a4f87d3 SHA-256 : 7a5188f38a43f41fff18f629c51d1b763b079c22ad8… SHA-512 : 9752e9ffad0c86b54ad0436521542ad19dc4fc1b0… Size : 0.463 Kilobytes. Page 32
FILE PATH TYPE AND HASHES
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : ASCII text, with very long lines nt.IE5\JFPXO29L\2727757643-Css_bundle_v2[1].Css MD5 : c6bef00b7471799fb84ecd3c7d93b889 SHA-1 : a6396b397197c482524473491da5dae89408e93d SHA-256 : 797e19ac51bd552cb84849b171fad7cf0563b4a14… SHA-512 : d44ae98a63a5d828c4b2ee0f62edebc8477f487b4… Size : 39.463 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conte Type : Internet Explorer cache file version Ver 5.2 nt.IE5\Index.Dat MD5 : bd021ca160e34a92d03fdfe29c9e51f4 SHA-1 : d82fbba46d23371a360c023e02bd60631d7c3485 SHA-256 : b2c1ed38a8b472c191a5cefd9e9fdd9c1793067af… SHA-512 : e0263b195d9fa461003ff31cb080c1aa520b3b45f3… Size : 180.224 Kilobytes.
C:\Users\User\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\R Type : Composite Document File V2 Document, No ecoveryStore.{26505E1D-F658-11E8-BFC1-08002761E52B}.Dat summary info MD5 : a1926ef4a40737b86009fa4a87cba31b SHA-1 : fc6515a7362d1474cc79b2683edd8fb6fd73f912 SHA-256 : 7949c5591ac353d53c484baf6b5bec9e7b64e5178… SHA-512 : f9c40665a7d4d9600e6b068c1495b54ad56b5a7a… Size : 3.584 Kilobytes.
C:\Users\User\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\01B16C Type : data DBADE7DB774141D7E30D50EC69 MD5 : bc8a655160f5d3f509d086e4710751b2 SHA-1 : b614407308f6cc48d8dc319a310b06be9cb5049c SHA-256 : 3cfdde52916d4ab94fa5090d5500d3dac44a2c1b… SHA-512 : aa4df218cbc72d99a535a39a1825eb673d702d0f9… Size : 0.182 Kilobytes.
MATCH YARA RULES
MATCH RULES
STATIC FILE INFO
File Name: None
File Type: HTML document, ASCII text, with very long lines
SHA1: e8f8b51272397f871c898e27bfbb9f116859e587
MD5: d8e675bb7b20604752d98161331c2d59
First Seen Date: 2018-11-29 09:40:18.081607 ( 3 months ago )
Number Of Clients Seen: 1
Last Analysis Date: 2018-11-29 09:40:18.081607 ( 3 months ago )
Human Expert Analysis Result: No human expert analysis verdict given to this sample yet. Page 33
DETAILED FILE INFO
ADDITIONAL FILE INFORMATION
PE Headers
PROPERTY VALUE
Magic Literal Enum 14
File Type Enum 1
File Size 63023
Sha256 d73cf31aad4429e9030c7edb15713ac3f4bd5c7c41f25927bb1f15c96d1ec06e
Mime Type text/html
CERTIFICATE VALIDATION
- Certificate Validation is not Applicable
SCREENSHOTS Page 34 Page 35 Page 36