BC8EE8D09234D99DD8B85A99E46C64
This report is generated from a file or URL submitted to this webservice on November 25th 2017 09:30:17 (UTC) and action script Default browser analysis
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
-
Possibly checks for the presence of an Antivirus engine
References security related windows services
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/59 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
System Security
-
References security related windows services
- details
- "windefendercache" (Indicator: "windefend")
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
References suspicious system modules
- details
- "ntoskrnl.exe"
- source
- File/Memory
- relevance
- 5/10
-
References suspicious system modules
-
Suspicious Indicators 6
-
Anti-Detection/Stealthyness
-
Possibly checks for the presence of an Antivirus engine
- details
-
"kaspersky_avc" (Indicator: "kaspersky")
"ikarus_vdb" (Indicator: "ikarus")
"symantec_vdb" (Indicator: "symantec")
"avast_test" (Indicator: "avast")
"avastarlog" (Indicator: "avast")
"Activeris AntiMalware" (Indicator: "antimalware")
"Symantec_File" (Indicator: "symantec") - source
- File/Memory
- relevance
- 3/10
-
Possibly checks for the presence of an Antivirus engine
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"FilemonClass" (Indicator: "filemonclass")
"PROCMON_WINDOW_CLASS" (Indicator: "procmon_window_class")
"gbdylloitna" (Indicator: "gbdyllo")
"gbdyllOrevseD" (Indicator: "gbdyllo")
"ndle';6=API-MS-WIN,MS-WIN,MICROSOFT-WINDOWS-SYSTEM,KERNELBASE,MSDART;7=15;12=002,002;13=<>c__DisplayClass55,<Initialize>b__8,ActivityChangedEventArgs,CallerFilePathAttribute,CallerLineNumberAttribute,ContentUpdating,GetStorages,InfiniteTimeSpan,IteratorStateMachineAttribute,OnSucceeded,OriginUrl,QuinticEase,;13=RetryHelper,RuleState,SHGSI,SetQueries,SignatureMismatch,StringParam1,StringParam3,TryOpenExisting,_CardCode,_namespaceString,_reportLevel,addedList,contentIds,controlA,controlB,get_IsLocalConnection,;13=get_SiblingCount,get_SupportsAttributes,get_XButton1,set_BranchType,set_CompletionFilter,terminationReason,;14=get_XButton,StringParam,;" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"VirtualBox disk Image" (Indicator: "virtualbox")
"VirtualBox SavedState" (Indicator: "virtualbox")
"Hyper-V virtual hard disk" (Indicator: "hyper-v") - source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques using MAC address detection
- details
- "000,000,833D--------00558BEC565775656800010000E8------0083C4048B7508A3--------85F6741D68FF0000005056FF15--------85C0740CC705;000,000,833D--------00558BEC5657756B6800010000E8------0083C4048B7508A3--------85F67423837D0C03771D68FF0000005056FF15--------85C0740CC705;" (Indicator: "005056")
- source
- File/Memory
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/64 reputation engines marked "http://www.godevtool.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: ".JPG.PIF 205.196.122.99/"
"127.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Informative 21
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000") - source
- Registry Access
- relevance
- 10/10
-
Reads the windows installation date
- details
- "iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
General
-
Accesses Software Policy Settings
- details
-
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_191"
"IESQMMUTEX_0_191"
"ConnHashTable<3136>_HashTable_Mutex"
"Local\c:!users!%OSUSER%!appdata!local!microsoft!windows!history!history.ie5!"
"Local\Feeds Store Mutex S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCacheCounterMutex"
"Local\WininetConnectionMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\c:!users!%OSUSER%!appdata!roaming!microsoft!windows!ietldcache!"
"Local\ZonesCounterMutex"
"Local\Feed Arbitration Shared Memory Mutex [ User : S-1-5-21-4162757579-3804539371-4239455898-1000 ]"
"RasPbFile"
"Local\c:!users!%OSUSER%!appdata!roaming!microsoft!windows!cookies!"
"Local\ZonesLockedCacheCounterMutex"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"IESQMMUTEX_0_208"
"Local\RSS Eventing Connection Database Mutex 00000c40"
"Local\Feed Eventing Shared Memory Mutex S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\!IETld!Mutex"
"Local\WininetStartupMutex" - source
- Created Mutant
- relevance
- 3/10
-
Launches a browser
- details
- Launches browser "iexplore.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Opened the service control manager
- details
-
"iexplore.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"iexplore.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Requested access to a system service
- details
-
"iexplore.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_CONFIG" (0X1) access rights
"iexplore.exe" called "OpenService" to access the "WSearch" service
"iexplore.exe" called "OpenService" to access the "CryptSvc" service
"iexplore.exe" called "OpenService" to access the "cryptsvc" service
"iexplore.exe" called "OpenService" to access the "" service
"iexplore.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"iexplore.exe" called "OpenService" to access the "gpsvc" service
"iexplore.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service
"iexplore.exe" called "OpenService" to access the "rasman" service
"iexplore.exe" called "OpenService" to access the "RASMAN" service
"iexplore.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights - source
- API Call
- relevance
- 10/10
-
Scanning for window names
- details
-
"iexplore.exe" searching for class "Static"
"iexplore.exe" searching for class "IEFrame"
"iexplore.exe" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"iexplore.exe" called "ControlService" and sent control code "0X24" to the service "WSearch"
"iexplore.exe" called "ControlService" and sent control code "0XDC" to the service "WSearch"
"iexplore.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"iexplore.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc"
"iexplore.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"iexplore.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "iexplore.exe" with commandline "SCODEF:3136 CREDAT:79873" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Creates new processes
- details
- "iexplore.exe" is creating a new process (Name: "%PROGRAMFILES%\Internet Explorer\iexplore.exe", Handle: 772)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"Cab8D2B.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"RecoveryStore.{91BA4BDF-B50F-11E4-ADE1-0800270E0C5C}.dat" has type "Composite Document File V2 Document Cannot read section info"
"Tar8D2C.tmp" has type "data"
"JavaDeployReg.log" has type "ASCII text with CRLF line terminators"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
"search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" has type "PNG image data 16 x 16 8-bit/color RGBA non-interlaced"
"favicon[1].ico" has type "PNG image data 16 x 16 8-bit/color RGBA non-interlaced"
"{726D9684-D206-11E7-989D-0A00278A626A}.dat" has type "Composite Document File V2 Document Cannot read section info"
"favicon[2].ico" has type "PNG image data 16 x 16 8-bit/color RGBA non-interlaced"
"{7FBBE3B0-D208-11E7-989D-0A00278A626A}.dat" has type "Composite Document File V2 Document Cannot read short stream"
"50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B" has type "data"
"RecoveryStore.{726D9683-D206-11E7-989D-0A00278A626A}.dat" has type "Composite Document File V2 Document Cannot read section info"
"Kno6240.tmp" has type "XML 1.0 document ASCII text with CRLF line terminators"
"known_providers_download_v1[2].xml" has type "XML 1.0 document ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "FROM:AUGUST2013O4@MAIL.RU"
Heuristic match: "FROM:IRANNEW@MAIL.RU"
Heuristic match: "FROM:LIBIANEW@MAIL.RU"
Heuristic match: "FROM:MAY2013O1@MAIL.RU"
Heuristic match: "FROM:MAY2013O2@MAIL.RU"
Heuristic match: "FROM:MAY2013O3@MAIL.RU"
Heuristic match: "FROM:OCT2012@MAIL.RU"
Heuristic match: "FROM:SEPTEMBER2013O2@MAIL.RU"
Heuristic match: "FROM:SIRIANEW@MAIL.RU"
Heuristic match: "FROM:ZAIRENEW@MAIL.RU"
Heuristic match: "TO:AUGUST2013O4@MAIL.RU"
Heuristic match: "TO:IRANNEW@MAIL.RU"
Heuristic match: "TO:LIBIANEW@MAIL.RU"
Heuristic match: "TO:MAY2013O1@MAIL.RU"
Heuristic match: "TO:MAY2013O2@MAIL.RU"
Heuristic match: "TO:MAY2013O3@MAIL.RU"
Heuristic match: "TO:OCT2012@MAIL.RU"
Heuristic match: "TO:SEPTEMBER2013O2@MAIL.RU"
Heuristic match: "TO:SIRIANEW@MAIL.RU"
Heuristic match: "TO:ZAIRENEW@MAIL.RU"
Pattern match: "HTTP://GOOGLEADS.G.DOUBLECLICK.NET/PAGEAD/ADS?CLIENT\X"
Pattern match: "download.windowsupdate.com/d/msdownload/update/software/"
Pattern match: "www.google.com"
Pattern match: "www.google.com/index.php"
Pattern match: "www.update.microsoft.com"
Pattern match: "http://stats.picasa.com/apps/get.stats.installer.php*"
Heuristic match: "Borland.NET"
Pattern match: "www.GoDevTool.com"
Heuristic match: "player1??3.com"
Heuristic match: "/Library/Application Support/Avast/vps9/defs/17112400/algo.so"
Pattern match: "www.aka.ms"
Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl"
Pattern match: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl0"
Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt0"
Pattern match: "http://ocsp.msocsp.com0"
Pattern match: "http://www.microsoft.com/pki/mscorp/cps0"
Pattern match: "http://ocsp.digicert.com0"
Pattern match: "http://crl3.digicert.com/Omniroot2025.crl0="
Pattern match: "https://www.digicert.com/CPS0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com"
Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQphfxhPb4vsBIPXkIOTJ7D1Z79fAQUCP4ln3TqhwTCvLuOqDhfM8bRbGUCEy0AAIDRU2YL2JJtYm8AAAAAgNE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.msocsp.com"
Pattern match: "www.bing.com0"
Pattern match: "www.bing.com"
Heuristic match: "dict.bing.com.cn"
Heuristic match: "*.platform.bing.com"
Heuristic match: "*.bing.com"
Heuristic match: "*.windowssearch.com"
Heuristic match: "*.origin.bing.com"
Heuristic match: "*.mm.bing.net"
Heuristic match: "ecn.dev.virtualearth.net"
Heuristic match: "*.cn.bing.net"
Heuristic match: "*.cn.bing.com"
Heuristic match: "ssl-api.bing.com"
Heuristic match: "ssl-api.bing.net"
Heuristic match: "*.api.bing.net"
Heuristic match: "*.bingapis.com"
Heuristic match: "bingsandbox.com"
Heuristic match: "insertmedia.bing.office.net"
Heuristic match: "r.bat.bing.com"
Heuristic match: "*.r.bat.bing.com"
Heuristic match: "*.dict.bing.com.cn"
Heuristic match: "*.dict.bing.com"
Heuristic match: "*.ssl.bing.com"
Heuristic match: "*.appex.bing.com"
Heuristic match: "*.platform.cn.bing.com"
Heuristic match: "wp.m.bing.com"
Heuristic match: "*.m.bing.com"
Heuristic match: "global.bing.com"
Heuristic match: "windowssearch.com"
Heuristic match: "search.msn.com"
Heuristic match: "*.bingsandbox.com"
Heuristic match: "*.api.tiles.ditu.live.com"
Heuristic match: "*.ditu.live.com"
Heuristic match: "*.t0.tiles.ditu.live.com"
Heuristic match: "*.t1.tiles.ditu.live.com"
Heuristic match: "*.t2.tiles.ditu.live.com"
Heuristic match: "*.t3.tiles.ditu.live.com"
Heuristic match: "*.tiles.ditu.live.com"
Heuristic match: "3d.live.com"
Heuristic match: "api.search.live.com"
Heuristic match: "beta.search.live.com"
Heuristic match: "cnweb.search.live.com"
Heuristic match: "dev.live.com"
Heuristic match: "ditu.live.com"
Heuristic match: "farecast.live.com"
Heuristic match: "image.live.com"
Heuristic match: "images.live.com"
Heuristic match: "local.live.com.au"
Heuristic match: "localsearch.live.com"
Heuristic match: "ls4d.search.live.com"
Heuristic match: "mail.live.com"
Heuristic match: "mapindia.live.com"
Heuristic match: "local.live.com"
Heuristic match: "maps.live.com"
Heuristic match: "maps.live.com.au"
Heuristic match: "mindia.live.com"
Heuristic match: "news.live.com"
Heuristic match: "origin.cnweb.search.live.com"
Heuristic match: "preview.local.live.com"
Heuristic match: "search.live.com"
Heuristic match: "test.maps.live.com"
Heuristic match: "video.live.com"
Heuristic match: "videos.live.com"
Heuristic match: "virtualearth.live.com"
Heuristic match: "wap.live.com"
Heuristic match: "webmaster.live.com"
Heuristic match: "webmasters.live.com"
Pattern match: "www.local.live.com.au"
Pattern match: "www.maps.live.com.au0"
Pattern match: "https://ieonline.microsoft.com/#ieslice"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=121315"
Pattern match: "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight"
Pattern match: "http://www.bing.com/favicon.ico"
Pattern match: "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "=PAYPAL">SIGN UP</A>" (Indicator: "paypal")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Hooks API calls
- details
-
"DialogBoxParamW@USER32.DLL" in "iexplore.exe"
"PageSetupDlgW@COMDLG32.DLL" in "iexplore.exe"
"MessageBoxIndirectW@USER32.DLL" in "iexplore.exe"
"MessageBoxExA@USER32.DLL" in "iexplore.exe"
"DialogBoxIndirectParamA@USER32.DLL" in "iexplore.exe"
"PropertySheetW@COMCTL32.DLL" in "iexplore.exe"
"MessageBoxExW@USER32.DLL" in "iexplore.exe"
"MessageBoxIndirectA@USER32.DLL" in "iexplore.exe"
"DialogBoxParamA@USER32.DLL" in "iexplore.exe"
"PropertySheet@COMCTL32.DLL" in "iexplore.exe"
"CreateWindowExW@USER32.DLL" in "iexplore.exe"
"OleCreatePropertyFrameIndirect@OLEAUT32.DLL" in "iexplore.exe"
"DialogBoxIndirectParamW@USER32.DLL" in "iexplore.exe" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "Cab8D2B.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"iexplore.exe" wrote bytes "e9b943f2f8" to virtual address "0x75523B9B" ("DialogBoxParamW@USER32.DLL")
"iexplore.exe" wrote bytes "c4ca367580bb3675aa6e37759fbb367508bb367546ce367561383775de2f3775d0d9367500000000177975754f9175757f6f7575f4f7757511f77575f2837575857e757500000000" to virtual address "0x6A481000" (part of module "MSIMG32.DLL")
"iexplore.exe" wrote bytes "7739eb7679a8ef76be72ef76d62def761de2ea7605a2ef76c868ee7657d1f576bee3ea76616fef766841ed760050ed7600000000ad3709778b2d0977b641097700000000" to virtual address "0x74A21000" (part of module "WSHIP6.DLL")
"iexplore.exe" wrote bytes "e99ac3c9f8" to virtual address "0x759B2694" ("PageSetupDlgW@COMDLG32.DLL")
"iexplore.exe" wrote bytes "e937f20ef9" to virtual address "0x7555E963" ("MessageBoxIndirectW@USER32.DLL")
"iexplore.exe" wrote bytes "92e6ea7679a8ef76be72ef76d62def761de2ea7605a2ef76bee3ea76616fef766841ed760050ed7600000000ad3709778b2d0977b641097700000000" to virtual address "0x744F1000" (part of module "WSHTCPIP.DLL")
"iexplore.exe" wrote bytes "e96ff10ef9" to virtual address "0x7555E9C9" ("MessageBoxExA@USER32.DLL")
"iexplore.exe" wrote bytes "e9c20a10f9" to virtual address "0x7554D274" ("DialogBoxIndirectParamA@USER32.DLL")
"iexplore.exe" wrote bytes "e9efb971fa" to virtual address "0x73F3388E" ("PropertySheetW@COMCTL32.DLL")
"iexplore.exe" wrote bytes "e9e9f00ef9" to virtual address "0x7555E9ED" ("MessageBoxExW@USER32.DLL")
"iexplore.exe" wrote bytes "e99cf30ef9" to virtual address "0x7555E869" ("MessageBoxIndirectA@USER32.DLL")
"iexplore.exe" wrote bytes "e92e0d10f9" to virtual address "0x7554CF42" ("DialogBoxParamA@USER32.DLL")
"iexplore.exe" wrote bytes "e9fc7967fa" to virtual address "0x73FD7922" ("PropertySheet@COMCTL32.DLL")
"iexplore.exe" wrote bytes "4053ed765858ee76186aee76653cef760000000000bf36750000000056cc3675000000007cca36750000000037682a756a2cef76d62def760000000020692a750000000029a6367500000000a48d2a7500000000f70e367500000000" to virtual address "0x76FE1000" (part of module "NSI.DLL")
"iexplore.exe" wrote bytes "e9b34b00f9" to virtual address "0x7550EC7C" ("CreateWindowExW@USER32.DLL")
"iexplore.exe" wrote bytes "e93954fff8" to virtual address "0x756593FC" ("OleCreatePropertyFrameIndirect@OLEAUT32.DLL")
"iexplore.exe" wrote bytes "e954a111f9" to virtual address "0x75533B7F" ("DialogBoxIndirectParamW@USER32.DLL")
"iexplore.exe" wrote bytes "e9e89afcf8" to virtual address "0x7550E30C" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "e9b943f2f8" to virtual address "0x75523B9B" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "e9fda405f9" to virtual address "0x755F4731" (part of module "OLEAUT32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Drops cabinet archive files
File Details
BC8EE8D09234D99DD8B85A99E46C64
- Filename
- BC8EE8D09234D99DD8B85A99E46C64
- Size
- 135KiB (138529 bytes)
- Type
- html
- Description
- data
- Architecture
- WINDOWS
- SHA256
- 9b5f8749c530912f6c217c20bf2b37a562cfb8c204dd4154882eb248bfad147b
- MD5
- d5bb082380f74b2c07ffc4ebeb6d132c
- SHA1
- 6f83466d2905d8ad423c731d8a0f9d5d12b11928
Classification (TrID)
- 100.0% (.GPG) GNU Privacy Guard public keyring
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
iexplore.exe
-nohome
(PID: 3136)
- iexplore.exe SCODEF:3136 CREDAT:79873 (PID: 3192)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 14 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 1
-
-
known_providers_download_v1[2].xml
- Size
- 88KiB (90518 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 002d5646771d31d1e7c57990cc020150
- SHA1
- a28ec731f9106c252f313cca349a68ef94ee3de9
- SHA256
- 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
-
-
Informative 13
-
-
RecoveryStore.{726D9683-D206-11E7-989D-0A00278A626A}.dat
- Size
- 5KiB (5120 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- c0949cb2cb68ca5f782dcd9604be9bec
- SHA1
- 5993c3265ae057c66400e4a50e1b5095c12a5340
- SHA256
- 8f21bf831243a4649a093c980e1f836b2b9bf33a6895d3d7c9f9867296abc140
-
{726D9684-D206-11E7-989D-0A00278A626A}.dat
- Size
- 5KiB (5120 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- ef4dea196c3f715d8c9253d96ff0a2b4
- SHA1
- 44a1cab5c9dbd5ee90bb92b00bc671df37b2619b
- SHA256
- c5daf45090b06514644b371d929b2497f000cb0d4e5df1ee18053e1bcd8ba8e2
-
RecoveryStore.{91BA4BDF-B50F-11E4-ADE1-0800270E0C5C}.dat
- Size
- 4.5KiB (4608 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 8c33e7d609eb46c5b4a154bc2d5b53d1
- SHA1
- 7244be375e9ea9f86556cc1a511f0a84a2b1dd25
- SHA256
- 32f23e5a214cb842c0c6b325c1dac70c23deb6d218190c6ac4d5a1086cab1dc7
-
{7FBBE3B0-D208-11E7-989D-0A00278A626A}.dat
- Size
- 4.5KiB (4612 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read short stream
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- c97f564680379221f1b2bb99d7320fd3
- SHA1
- e5ac5674ac5b1740eef079ea1deb1684aeb6a769
- SHA256
- f0feeef02c5e6ee4c55fb9004498cd7b1bc824a285e728c3b482312d6f881225
-
favicon[1].ico
- Size
- 300B (300 bytes)
- Type
- img image
- Description
- PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 5b188904e3bc002102653489e7ac4a4a
- SHA1
- 96607ba47296757df3a005614947a5e83ba8683d
- SHA256
- 507c647828e8b817e23d90c7be73b3105c32b9900147d0647b35046a32be1016
-
favicon[2].ico
- Size
- 300B (300 bytes)
- Type
- img image
- Description
- PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 5b188904e3bc002102653489e7ac4a4a
- SHA1
- 96607ba47296757df3a005614947a5e83ba8683d
- SHA256
- 507c647828e8b817e23d90c7be73b3105c32b9900147d0647b35046a32be1016
-
50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B
- Size
- 486B (486 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 68140f72f471390c7626166075dda3bf
- SHA1
- af875efb16b057203d3cea10ce6579a9aa9e0e85
- SHA256
- 588d3b8de534f549250073c68ede9d13fd7ca8c39daa793da516b2cbd5215d16
-
6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
- Size
- 471B (471 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- b556cda9cb7dd3505eff20407fe6afaa
- SHA1
- 9ff906cbeb2c5bfd8cc9c18dff827536e438c579
- SHA256
- 039491a2993edf894daa4d7206b8daaddd1a4bf61ef5e5e65ceb0b0212ba8d81
-
search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
- Size
- 300B (300 bytes)
- Type
- img image
- Description
- PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 5b188904e3bc002102653489e7ac4a4a
- SHA1
- 96607ba47296757df3a005614947a5e83ba8683d
- SHA256
- 507c647828e8b817e23d90c7be73b3105c32b9900147d0647b35046a32be1016
-
Cab8D2B.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
JavaDeployReg.log
- Size
- 6.4KiB (6523 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- iexplore.exe (PID: 3192)
- MD5
- 03832ccfb86d1538a2720dfba8644627
- SHA1
- 01fa7ba5efe17ac28252ba2729e40f676c8f1678
- SHA256
- ef752eb0858bed94ddc807bd33cc4deddc2808223d08b4c7e094daf139235b55
-
Kno6240.tmp
- Size
- 88KiB (90518 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 002d5646771d31d1e7c57990cc020150
- SHA1
- a28ec731f9106c252f313cca349a68ef94ee3de9
- SHA256
- 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
-
Tar8D2C.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3136)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for iexplore.exe (PID: 3192)
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "string-24" are available in the report
- Not all sources for signature ID "string-43" are available in the report