Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 10:17:58	2025-06-13 10:48:42	1844 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,975 [root] INFO: Date set to: 20250613T09:49:06, timeout set to: 1800
2025-06-13 10:49:06,723 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 10:49:06,739 [root] DEBUG: Storing results at: C:\ugjpRu
2025-06-13 10:49:06,739 [root] DEBUG: Pipe server name: \\.\PIPE\IprPMTCJ
2025-06-13 10:49:06,739 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 10:49:06,739 [root] INFO: analysis running as an admin
2025-06-13 10:49:06,739 [root] INFO: analysis package specified: "exe"
2025-06-13 10:49:06,739 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 10:49:07,176 [root] DEBUG: imported analysis package "exe"
2025-06-13 10:49:07,176 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 10:49:07,176 [lib.common.common] INFO: wrapping
2025-06-13 10:49:07,176 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 10:49:07,192 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ie4uinit.exe
2025-06-13 10:49:07,192 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 10:49:07,192 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 10:49:07,192 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 10:49:07,192 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 10:49:07,395 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 10:49:07,489 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 10:49:07,504 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 10:49:07,536 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 10:49:07,536 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 10:49:07,536 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 10:49:07,536 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 10:49:07,551 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 10:49:07,551 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 10:49:07,551 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 10:49:07,551 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 10:49:07,551 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 10:49:07,551 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 10:49:07,551 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 10:49:07,551 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 10:49:07,551 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 10:49:07,551 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 10:49:07,551 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 10:49:07,692 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 10:49:07,692 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 10:49:07,707 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 10:49:07,707 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 10:49:07,707 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 10:49:07,707 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 10:49:07,707 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 10:49:07,707 [modules.auxiliary.disguise] INFO: Disguising GUID to 40e3f50e-e3ad-428d-ac6c-32516ae967dc
2025-06-13 10:49:07,707 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 10:49:07,707 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 10:49:07,707 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 10:49:07,707 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 10:49:07,707 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 10:49:07,707 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 10:49:07,707 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 10:49:07,707 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 10:49:07,707 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 10:49:07,707 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 10:49:07,707 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 10:49:07,707 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 10:49:07,707 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 10:49:07,707 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 10:49:07,707 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 10:49:07,707 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 10:49:07,707 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 10:49:07,739 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 10:49:07,739 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 10:49:07,739 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 10:49:07,739 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 10:49:07,739 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 10:49:07,739 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 10:49:07,739 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 10:49:07,739 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\OfUZSPk.dll, loader C:\tmpjeo7jmad\bin\pLbotWiq.exe
2025-06-13 10:49:07,817 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 10:49:07,817 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\OfUZSPk.dll.
2025-06-13 10:49:07,833 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 10:49:07,833 [root] INFO: Disabling sleep skipping.
2025-06-13 10:49:07,833 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 10:49:07,848 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 10:49:07,848 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 10:49:07,848 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 10:49:07,848 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 10:49:07,848 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 10:49:07,864 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 10:49:07,864 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 10:49:07,864 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824890000, thread 5468, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-13 10:49:07,864 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 10:49:07,879 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 10:49:07,879 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 10:49:07,879 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\OfUZSPk.dll.
2025-06-13 10:49:07,879 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 10:49:07,879 [root] D <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 10:17:58	2025-06-13 10:48:22	none

File Details

File Name	ie4uinit.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	228352 bytes
MD5	14ae2476f5b2d8c262c4019a63a3660f
SHA1	3de3781c2736ce247024ddc027003c0470857dc3
SHA256	a59282984c23991a66cbbd6f654b979180a2e24a73b7be0929f6494180a4feb8 [VT] [MWDB] [Bazaar]
SHA3-384	09667df6a64daca2ea68b46d80bbf479a44a814252241c791da097b839846f0b3b3aa9596c7644bb486940ce58800258
CRC32	399DC7B1
TLSH	T181241A4623F818E9EE76963DCAA78606E6B37C112721C6CF0270464D5F37AE5BD39312
Ssdeep	6144:JwQdvOs1CSMUNp9mshYiO3OQAjxvUQA/KQyc5hgU:Jw+vZ1Vp9NO6jSQA/E
Yara	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA - Detects Windows executables referencing non-Windows User-Agents - Author: ditekSHen
PE	File Strings BinGraph Vba2Graph VirusTotal

Local\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_

CertFindCertificateInStore

@.data

&clientkey=

</trustInfo>

*.lnk

ieframe.dll

InstallDate

GetStartupInfoW

ReleaseMutex

AddAccessAllowedAceEx

s AWH

Microsoft\Feeds

CreateSemaphoreExW

NoChannelContent

Btn_Help

OpenFileMappingW

u*9Q<|%

D:PAI(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;RC)(A;CI;KR;;;S-1-15-3-4096)

SHGetDesktopFolder

A_A^A\_^][

L$xE3

Microsoft.MicrosoftEdgeBeta_8wekyb3d8bbwe

https://yandex.ru/search/?text={searchTerms}&clid=2233627

_time64

<f12ua category="non-desktop" name="IE - Xbox One">Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Xbox; Xbox One)</f12ua>

RegSetValueExW

i|,D+

SetPriorityClass

DllInstall

NtQueryLicenseValue

-UserConfig

@USVWATAVH

Btn_Page

VWAVH

about:tabs

t%f9Y@u

&pc=UE15

GetProductInfo

Software\Policies\Microsoft\Internet Explorer\Infodelivery

o\$PH

MingLiu

LCMapStringW

Microsoft Corporation

LoadLibraryExW

PathIsNetworkPathW

memcmp

PathFindFileNameW

D!t$$H

NoEditingChannels

Simplified Arabic

RegOpenKeyW

fA9(t

_XcptFilter

_lock

D9t$0

USVWATAUAVAWH

t;fE9/t5H

CertGetNameStringW

L9sHs@

@SUVWAVH

UnmapViewOfFile

No_LaunchMediaBar

-UserIconConfig

Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum

_initterm

NoToolbarOptions

MigrateCacheForCurrentUser

ZF^!W-JM

.idata$5

LoadLibraryW

L$ VWATAVAWH

NoEditingScheduleGroups

D9kPuMH

l$8E3

swscanf_s

AllowTelemetry

Btn_Copy

CryptGetKeyParam

.pdata

wcschr

Microsoft

signvalue

Myanmar Text

l$PH;

.didat$2

SHRegSetUSValueW

<f12ua category="other" name="Apple Safari (iPad)">Mozilla/5.0 (iPad; CPU OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4</f12ua>

FORM=IENDS1

.data$r$brc

FORM=IESR3N

FORM=IENAD2

LimitEnhancedDiagnosticDataWindowsAnalytics

GetMessageW

Miriam Fixed

uiAccess="false"/>

D$ Lc;A

CryptSetKeyParam

!x-sys-default-locale

SetEvent

L$XE3

l$xH+

_exit

SleepConditionVariableSRW

ky-KG

0A^_^

IE Per-User Initialization Utility

Segoe UI Symbol

NoToolBar

%hs!%p:

HKCU\

{64AF4D11-6492-4C25-B014-B6C6CEE3B0C5}

OOBEInProgress

InternetCrackUrlW

https://yandex.ua/search/?text={searchTerms}&clid=2233627

p WAVAWH

SHCreateItemFromParsingName

uC9] t>H

Software\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess

.tls$ZZZ

CoCreateInstance

MS PGothic

SHCopyKeyW

FORM=IESR3A

-extoff

L$@f99t

GetFileAttributesW

&pc=UE04

%s_%s

.D9k8u

)L$0A

</compatibility>

CertGetEnhancedKeyUsage

.CRT$XIA

{ie:maxwidth

Btn_Edit

D9eHvv

f9Y(u:3

Local\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_

CreateIUriBuilder

Explorer

David

x UAVAWH

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

{referrer:source

Kalinga

FileDescription

ie4uInit.exe exiting. Process Result: 0x%1!08lx!

Microsoft-Windows-InternetExplorer-Package-TopLevel

\$ UVWH

StrCmpW

)MPE3

TL%0%I

SmallIcons

\$ VWAVH

UWATAVAWH

EUPP_

bing.com

%%%us | %%%us

Reserved.PlatformSigned

Output will be redirected to: %1

D9t$0~

ntdll.dll

NoManualUpdates

WakeAllConditionVariable

InitializeCriticalSection

UVAVH

A_A^A\_^

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

.?AV_com_error@@

http://www.yandex.com.tr/favicon.ico

BrandIEActiveSetup

https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP

GetNativeSystemInfo

InternetReadFile

D$(E3

MaxChannelLevels

0A_A^_^]

ConvertSidToStringSidW

AllowTelemetry_PolicyManager

s&9\$ t_A;

Attributes

======================================================

NETPLWIZ.EXE

Btn_Search

https://ieonline.microsoft.com/EUPP/v1/service?action=downloadcert&appid=Microsoft_IE_EUPP

.rdata$zETW9

PMingLiu

UVWAVAWH

L$0E3

NoScheduledUpdates

MSIEHistoryJournal

ka-GE

FORM=IESR3S

A_A^A\_]

%s\system32\ie4uinit.exe %s

FORM=IENAE1

GetCurrentDirectoryW

9\$Ht

PathRemoveBlanksW

H9uXvRH!uhH

TerminateProcess

NoHelpItemTutorial

<f12ua category="other" name="Bing Bot">Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)</f12ua>

GetEnvironmentVariableW

NoFileOpen

NoAddressBar

source

FORM=IENSS2

tg-Cyrl-TJ

MSFEEDSSYNC.EXE

TelemetryPermission-AllowDisable

SHSetLocalizedName

Btn_Forward

T$0!D$0

IEUTLAUNCH.EXE

shell32-license-UseBingAsDefaultSearchProvider

WWAHOST.EXE

Microsoft.Windows.App.Browser

11.00.17763.1 (WinBuild.160101.0800)

AcceptLanguage

Microsoft Yi Baiti

0A^A\_

Unable to get SID for %1!ls!. Result:%2!lx!

.text$x

CreateMutexW

T$ E3

_wtoi

AlwaysPromptWhenDownload

SetFileAttributesW

2r|Bj

.xdata$x

A^_^

SHStrDupW

GetModuleHandleW

SHRegGetUSValueW

FORM=IENDS2

type="win32"/>

wcsnlen

d$ fE

H!s !s(I;

L$ E3

.CRT$XLZ

{outputEncoding

SLGetWindowsInformation

.giats

kernelbase.dll

.rsrc

SystemTimeToFileTime

DokChampa

ru-RU

IE-Address

Raavi

Original First Home Page Result:%1!lx!

\$P;L$X

0A_A^_

OriginalFilename

D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)

PucHc

CertCloseStore

NoPrinting

d$0E3

D9n@|

sprintf_s

mydocs.dll

L$HH;

UpdateExcludeBegin

https://yandex.by/search/?text={searchTerms}&clid=2233627

NoBrowserOptions

FORM=IESS3A

MaxChannelCount

Software\Microsoft\Windows\CurrentVersion\Policies

NoExtensionManagement

GetFullPathNameW

thumbprint

UVWATAUAVAWH

\StringFileInfo\04090000\%s

system\Setup

RtlAreLongPathsEnabled

T$PL!l$PH

SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}

CloseHandle

L$8E3

In CmdOldUserInstall

@.reloc

f9,{u

FreeSid

0A_A^A]_^

trademark

Content-Type: text/xml; charset=utf-8

D$@L+

LoadResource

WININET.dll

D9K(t

GetSystemTimeAsFileTime

SHGetValueW

RegEnumValueW

fA9lM

Command line returned: %1!lx!

E94$v2A

GetKernelObjectSecurity

IE-ContextMenu

CryptStringToBinaryA

Getting serviced, skip work.

Internet Explorer

t&fD9

Shruti

|$HE3

u.fD;

NoUnattendedDialing

CharNextW

SetUnhandledExceptionFilter

[)Pyk5I

D$`f;

Executing Command: %1!lS!

D$ E3

.text

https://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR

Version

IE Enhanced User Preference Protection

status

No_MediaBarOnlineContent

Tahoma

.rdata$brc

Launching command line to remove package: %1

SOFTWARE\Microsoft\Cryptography

L$`E3

%s\%u

LocalAlloc

fE9 t

.idata$4

https://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}

"%windir%\System32\dism.exe" /online /get-packages /format:table /english

.rdata$T$brc

GetTokenInformation

-ClearIconCache

userInputID

__dllonexit

fclose

VERSION.dll

VerSetConditionMask

FORM=IENAE2

RegEnumKeyExW

OpenMutexW

-nohome

microsoftedge.exe

DesktopShortcutsFolderName

FORM=IEMSD2

Btn_Print

https://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02

D$4E3

-ClearIconCache

&mac=

NoSubscriptionContent

HcD$ H

__C_specific_handler

{2562B2EF-500D-49FC-A350-5BC0D4C56EE3}

@USVWAVAWH

InternetConnectW

IE-SearchBox

Courier New

HA^A\_^[]

{searchTerms

CertFreeCertificateContext

|$@E3

d$pL+

HttpQueryInfoW

D$PD+

CreateEventW

GetFileVersionInfoExW

|$ AVH

RemoveDirectoryW

level="asInvoker"

.text$mn$00

t$ WH

SetLastError

.rsrc$01

CallContext:[%hs]

D$\D+

DebugBreak

{ie:rowheight

A_A^A]A\_^[]

RegDeleteValueW

D$pE3

Toolbars\Restrictions

-hide

DeferMigrationCommand

az-Latn-AZ

Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users

NoToolbarCustomize

NetApiBufferFree

NoFavorites

VirtualAlloc

Btn_Discussions

policymanager.dll

UTF-8

_CxxThrowException

CertEnumCertificatesInStore

DisableDeviceDelete

MachineGuid

Local\windows_ie_global_counters

LeaveCriticalSection

shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}

manifestVersion="1.0">

D9|$T~

CryptSetHashParam

-InitHistoryRoaming

CryptHashCertificate

L$ SVWH

Launch Internet Explorer Browser

LocaleNameToLCID

<f12ua category="desktop" name="Internet Explorer 7">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)</f12ua>

L$PH3

In CmdAdminScavengeSystem

I|$0@

FORM=IEMSS1

SHGetSpecialFolderPathW

.text$yd

SetEndOfFile

@A^A]A\_^

D$HI!

Local\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa

WATAVH

QZ^&A

LcA<E3

%1!02d!/%2!02d!/%3!04d!:%4!02d!:%5!02d!:%6!02d!:

PolicyManager_FreeGetPolicyData

CertAddCertificateContextToStore

MIE-Address

NSimsun

HttpOpenRequestW

fD9,xu

In CmdUpgradeOldHistoryEntries

Software\Clients\StartMenuInternet

CryptEncrypt

D!D$

AcquireSRWLockExclusive

<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

fD9<wu

</application>

CertFreeCertificateChain

l$ E3

Arial

ShellFolder

LegalCopyright

CryptGenRandom

SendMessageTimeoutW

SHRegDeleteUSValueW

#\$0H

SetCurrentDirectoryW

GetSystemTime

RestGoMenu

Failed to set security descriptor. Result:%1!lx!

f9{bu

L$ USWH

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

InitOnceExecuteOnce

@A_A^A]A\_^]

L$0H3

FORM=IENAD1

https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627

Executing Deferred Command: %1!lS!

MS Gothic

.rdata$zzzdbg

f94Au

LoadStringW

ie4uinit%s.log

WAVAWH

Software\Microsoft\Internet Explorer\SearchScopes

.rdata

Btn_Home

??1type_info@@UEAA@XZ

In CmdShowIcons

RegDeleteKeyW

9t$Xv1

A_A^_^[]

xsi:schemaLocation="http://microsoft.com/IE/IECompatData IECompatData.xsd"

CleanupTask

L$ WH

D$$I;

FORM=IESS02

IsWow64Process

j`https://

x AWH

browser_broker.exe

urlmon.dll

WaitForSingleObject

xOfD9t$@tG

\$8I;

FORM=IEMSS2

https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627

11.00.17763.1

OpenProcessToken

Kartika

@A_A^]

DeriveAppContainerSidFromAppContainerName

GetModuleFileNameA

CryptDeriveKey

SVWATAUAVAWH

0A_A^A\

{inputEncoding

Sylfaen

Command line returned: 0x%1!08lx!

x AVD

SHGetKnownFolderPath

Microsoft\Internet Explorer\TabRoaming

Btn_Paste

SetNamedSecurityInfoW

t$@D8

.idata$3

Btn_Media

Software\Classes\Local Settings\MuiCache

.didat$5

l$ VWATAVAW

f9\|

SetErrorMode

>I9>t

PathRemoveExtensionW

RtlDllShutdownInProgress

Pu5Hc

bing.

az-Cyrl-AZ

s#D9e

FORM=IESS4N

SHGetFolderPathW

aSystem

&pc=%s

HttpSendRequestW

0A_A^A]A\_^]H

ExpandEnvironmentStringsW

HistoryJournalCertificate

t^@8=k

SetFileTime

(_^][

__setusermatherr

fD9"u

UATAUAVAWH

HeapFree

f9+u;H

UWATAUAVH

NoRemovingSubscriptions

microsoftedgebchost.exe

RegSetValueW

GetTickCount

L$@E3

FORM=IEMAE1

LockIconSize

UrlUnescapeW

.CRT$XIY

A^A]A\_^

Btn_Size

L$@H3

PostMessageW

K09HTt

FORM=IESR4A

https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part={searchTerms}&clid=2233630

fF94Au

Microsoft.zMicrosoftEdge_8wekyb3d8bbwe

about:home

UWAVH

MultiByteToWideChar

tdE9d

FORM=IEMDS2

fA9L$

GetSecurityDescriptorSacl

Btn_Tools

EventSetInformation

{461B4783-36F5-45B9-883E-35BA5ED4A823}

uz-Latn-UZ

fgetws

B[fA9

GetFileVersionInfoSizeExW

GetShellWindow

OutputDebugStringW

Btn_Favorites

Unable to Format Sid for %1!ls! to append to Extended ACL.

Microsoft.InternetExplorer.Default

&pc=EPSPC

ReturnHr

SHELL32.dll

WATAUAVAWD

NoBrowserBars

Unable to Append Sid for %1!ls! to Extended ACL. Result:%2!lx!

CryptVerifySignatureW

{startIndex

!\$HA

|$hE3

Software\Policies\Microsoft\Internet Explorer

A^A\]

StrStrIW

software\microsoft\Internet Explorer\International\Scripts

9D9t$@H

\UNC\

D$(D9

CreateProcessW

@SUVWATAVAWH

UWATAUAWH

WATAUAVAWH

VWATAUAVH

UpgradeInProgress

MinUpdateInterval

0A^_^[]

A_A^A]A\_

.CRT$XCAA

SOFTWARE\Microsoft\Internet Explorer\Unattend\New Windows

\$ UH

ADVAPI32.dll

HcT$HH

qf93u

CreateThread

L9{0t#H

.00cfg

Software\Microsoft\Windows\CurrentVersion\OemStartMenuData

fD9,Fu

t$ UWAUAVAWH

_wcsicmp

FreeLibrary

FlushViewOfFile

@SUVWH

CryptAcquireContextW

Superseded

FailFast

%HOMEDRIVE%%HOMEPATH%

OpenThreadToken

ATAVAWH

UpdateInNewProcess

CompanyName

Software\Microsoft\Internet Explorer\SQM

GetCurrentThreadId

@A_A^_

Userenv.dll

NoSearchBox

InternetOpenW

u HcA<H

*.{871C5380-42A0-1069-A2EA-08002B30309D}

GetProcessHeap

Sleep

GetFileSizeEx

EuppProtectionEvent

ie4uinit.log

9U(sgH

Trust

isalnum

t$ UWATAVAWH

StrTrimW

{ AVH

</security>

https://www.bing.com/favicon.ico

msn.com

NoFileNew

A9.v/

oT$@f

Setting Home Page. Failed to open registry Key

SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo

D$pA;

TE.EXE

RegOpenKeyExW

ReleaseSemaphore

VWATAUAVAWH

iswalpha

wcsncpy_s

f9YXu

v M;4$r

}HD9e8wgL

FindFirstFileW

_wcsnicmp

IEADVPACK.dll

::$DATA

LockResource

l$ VWAVH

UrlCreateFromPathW

tk-TM

PerUserInit

{00000000-0000-0000-0000-000000000000}

zh-CN

A^_^][

An invalid value is set in the reg value.

L$ SUVWH

ResolveDelayLoadedAPI

{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}

FORM=IEMAD1

onecoreuap\inetcore\lib\tracelogging\legacydll.cpp

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

"%%windir%%\System32\dism.exe" /online /remove-package /packagename:%s

CheckTokenMembership

wcsrchr

Btn_Back

-apply

UATAVH

1.3.6.1.4.1.311.13.1

Internet Explorer\

@"%%windir%%\System32\ie4uinit.exe",-%d

D$PE3

https://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS

<f12ua category="non-desktop" name="Windows Phone 10">Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Nokia; Lumia 520) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Mobile Safari/537.36 Edge/12.0</f12ua>

NoChangeDefaultSearchProvider

.didat$7

hy-AM

Btn_Refresh

rand_s

-show

tBH;

(caller: %p)

Internet-Browser-License-LicensedPartnerID

SOFTWARE\Microsoft\Internet Explorer\TypedURLs

StringFromGUID2

__set_app_type

<f12ua category="other" name="Mozilla Firefox">Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0</f12ua>

PathIsURLW

GetVersionExA

<f12ua category="desktop" name="Internet Explorer 10">Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)</f12ua>

<f12ua category="desktop" name="Internet Explorer 6">Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</f12ua>

GetAce

040904B0

In CmdInitializeHistoryRoaming

SuggestedSites.dat

.rdata$zETW2

SizeofResource

(A;CI;KR;;;

CreateFileMappingW

Iskoola Pota

FAKEVIRTUALSURFACETESTAPP.EXE

@USVWAVH

https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627

NoNavButtons

F\fA9

HcA<H

VerifyVersionInfoW

A_A^A]A\_^]

SYSTEM\Setup

product

A_A^]

9|$Pt

%ProgramW6432%\Internet Explorer

SHLWAPI.dll

JQ@J7<

Plantagenet Cherokee

FORM=IENSE2

Writing Single Home Page to XP Result:%2!lx!

ConfigureTelemetryOptInChangeNotification

Software\Microsoft\Internet Explorer\Setup

wcscat_s

Btn_Stop

.D9k u.L

L$8L+

In CmdApplySpadSettingsDuringMigration

HcT$@H

ReadFile

WideCharToMultiByte

RegQueryValueExW

t$(E3

@SVWH

%windir%

VarFileInfo

D$t3D$|

_fmode

xmlns="http://microsoft.com/IE/IECompatData">

swf9+t

Te.ProcessHost.exe

uuD9t$4u

Links

EXPLORER.EXE

FindFirstFileExW

MLANG.dll

</requestedPrivileges>

Software\Policies\Microsoft\Windows\DataCollection

VWAWH

strnlen

_vsnwprintf

CreateFileW

H!}8H

<requestedExecutionLevel

Setting Home Page.

NoAddingSubscriptions

\$P;L$Xs

Local\SM0:%d:%d:%hs

RegGetValueW

L$PE3

Latha

SLGetWindowsInformationDWORD

NoPopupManagement

%%%02x

FormatMessageW

CoUninitialize

MSOOBE.EXE

A_A^A]A\_

Simsun

\StringFileInfo\040904B0\%s

http://go.microsoft.com/fwlink/?LinkId=392206

Microsoft Himalaya

DeleteCriticalSection

\Microsoft\Internet Explorer

RaiseException

Kernel-ProductInfo

\$ WH

RtlCaptureContext

StartMenuInternet

NETAPI32.dll

https://www.haosou.com/s?src=win10&ie=utf-8&q={searchTerms}

DuplicateHandle

x ATAVAWH

.CRT$XLA

NoBrowserContextMenu

Starting ie4uinit.exe. Command Line:%1!lS!

<?xml version="1.0" encoding="utf-8"?>

D$hH+

<f12ua category="non-desktop" name="IE11 - Windows Phone 8.1 Update">Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 520) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537</f12ua>

NOTFOUND

uz-Cyrl-UZ

GetLengthSid

t!9|$Pr!M

GetStdHandle

GetUserPreferredUILanguages

|Dp\u

A_A^_

f9D$p

Btn_PrintPreview

D$09D$4t

{count

WriteFile

shell:%s

Original First Home Page Text:[%1!ls!].

A_A^A\

D$0H;

D8l$PtCH

)D$ 9D$0u

`[@D+

be-BY

RESTOREOPTIN.EXE

@USVWATAVAWH

L9K@t

INSTALLER_SHADOWED_COMPONENT_IDENTITY

Tunga

NoBrowserSaveWebComplete

NtQuerySecurityPolicy

CertGetIntendedKeyUsage

MaxSubscriptionCount

T$8@2

NoSelectDownloadDir

p WATAVH

<f12ua category="other" name="Google Chrome">Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36</f12ua>

In CmdClearIconCache

Times New Roman

IconsVisible

NoViewSource

\StringFileInfo\%04X%04X\%s

migration\WininetPlugin.dll

__wgetmainargs

ReleaseSRWLockExclusive

SHGetSpecialFolderLocation

NoSearchCustomization

u$L97t

RtlLookupFunctionEntry

DefaultInstall.Windows7

H9o(upH

internal\sdk\inc\wil\resource.h

[%hs(%hs)]

QueryPerformanceCounter

|$p u;3

NoFileUrl

EventWriteEx

msvcrt.dll

\$ UVWATAUAVAWH

StringFileInfo

oD$ f

t$ WAVAWH

0A_A^A]A\_

ole32.dll

NoWindowsUpdate

GetUserDefaultLocaleName

%windir%\System32\ie4uinit.exe

Estrangelo Edessa

OptInLevel

SOFTWARE\Microsoft\Internet Explorer\New Windows

H!t$8H

UPL!uPL

CreateUri

msIso.dll

.text$mn

l$ VWAUAVAWH

D$XE3

D+}PE

9u@uDL

Failed to open registry key. Result:%1!lx!

MaxSubscriptionSize

\$@eH

QueueUserWorkItem

H!}@H

<description>IE User Settings Initialization</description>

.u"fA9D$

&pc=WCUG

f9<Cu

SUVWATAUAVAWH

CryptHashData

D;|$0

DCIScanner

StrCmpNA

uk-UA

t$XE3

EventWriteTransfer

</iecompatlistdescription>

T$8H!t$8H

Gulim

In CmdClearIconCacheOnStartup

oL$0f

Btn_Feeds

x_^][

T$@E3

Start Page

f9l$`u

FORM=IEMDS1

L$`H3

fD9$Cu

|$@ uG3

D$@E3

https://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}

publiccertificate

Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum

f9l$0t

D$ Mc&A

name="ie4uinit"

FORM=IESS4S

IsDebuggerPresent

`A_A^A\_^

IEPropFontName

.rdata$zETW1

PolicyManager_GetPolicy

@A_A^A\

CoCreateGuid

RtlVirtualUnwind

_wcmdln

|$ UH

GetModuleFileNameW

microsoftedgecp.exe

RaiseFailFastException

Btn_Folders

NoSplash

NoHelpMenu

UrlEscapeW

Gautami

Microsoft\Internet Explorer

SHChangeNotify

.CRT$XCA

CryptReleaseContext

lstrcmpW

KERNEL32.dll

D$49D$0u_I

OleInitialize

A^A]A\_]

processorArchitecture="amd64"

fD9t$@t

fD9,Wu

9\$8vz

T$XA;

T$PI;

T$8H!\$8

UnhandledExceptionFilter

about:blank

f90ucH

FindResourceW

http://www.yandex.com/favicon.ico

EventUnregister

wcscpy_s

t$ AVH

StrCmpNIA

StrCmpIW

GetVersionExW

@SUVWATAUAVAWH

, <^v

UrlCanonicalizeW

{ie:sectionheight

MapViewOfFile

GetSystemDirectoryW

DisableDiagnosticDataViewer

D$0L;

f9,Yu

VS_VERSION_INFO

x UATAUAVAWH

Clean Up Previous Versions of Internet Explorer

A_A^_^]

.CRT$XCZ

<iecompatlistdescription xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

CryptDestroyKey

D$8'g

eventID

D9kXu@H

Yandex

fF9$pu

Exception

FORM=IEMSE1

L$pE3

Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection

false

.data

microsoftedgesh.exe

CRYPT32.dll

t0H9s8t*H

A_A^A]A\_^][

fD9$pu

T$$D!t$ H

PathFileExistsW

slc.dll

GetSystemDefaultLocaleName

Microsoft.MicrosoftEdge_8wekyb3d8bbwe

Mongolian Baiti

memset

[%hs]

FORM=IESR4N

Btn_Fullscreen

\\?\Volume

-CleanupEmeDataStores

\$ UVWAVAWH

GetProcAddress

ProductName

In CmdUserConfig

l$ VWAV

MSHTMPAD.EXE

.idata$6

t;H9U

t$`E3

D$`E3

CertVerifyCertificateChainPolicy

<f12ua category="other" name="Opera">Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 OPR/29.0.1795.47</f12ua>

fE9,pu

ShowIconsCommand

H;]Wr

FORM=IESS3S

tr-TR

D$HE3

9\uRf

VER_IEMAJORVERSION.2

FORM=IESS3N

t$ UWAVH

FileVersion

L$hH3

p AWH

SystemSetupInProgress

}H9}8

Locale

t$ E3

In CleanupEMEDataStores

NoBrowserClose

9D$0t

f9\$(u

L$`Hc

zh-cn

INSTALLER_WINNING_COMPONENT_IDENTITY

Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\%s\ShellFolder

GetExitCodeProcess

{5312EE61-79E3-4A24-BFE1-132B85B23C3A}

UAVAWH

A_A^_

memcpy_s

http://www.baidu.com/favicon.ico

SetFilePointer

USVWATAVAWH

MIE-SearchBox

In CmdHideIcons

CompareStringOrdinal

MigrateCacheForCurrentUser() returned: 0x%1!08lX!

Total Packages Removed from the system: %1!u!

SHDeleteKeyW

FORM=IENSD2

NoCrashDetection

<f12ua category="desktop" name="Internet Explorer 8">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)</f12ua>

SHDeleteValueW

NoOpeninNewWnd

Vrinda

;L$Xs

CertOpenStore

CertCreateCertificateContext

hashvalue

CertGetCertificateContextProperty

VerQueryValueW

CoTaskMemAlloc

NoChannelUI

CreateMutexExW

L$XL+

USERACCOUNTBROKER.EXE

EventRegister

L$HH+

UsePolicySearchProvidersOnly

Implementing

CertGetCertificateChain

kk-KZ

iexplore.exe

PropVariantClear

v=f9O

{8C3078A0-9AAB-4371-85D1-656CA8E46EE8}

DeleteFileW

CoInitializeEx

In HandleDeferredCommand

{language

StrStrW

Software\Microsoft\Internet Explorer\International

Unable to convert Sid to string for %1!ls!. Result:%2!lx!

HeapAlloc

A_A^A\_^

LOADER42.EXE

ConfigureTelemetryOptInSettingsUx

8\$0t

NoFindFiles

Btn_MailNews

<;s.< t*<!v <&v"<*v

.data$brc

L$pH3

H3E H3E

CreateFile2

InternalName

iedkcs32.dll

EPH!u`D

<f12ua category="non-desktop" name="IE9 - Windows Phone 7">Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)</f12ua>

u/!uPD

NetGetJoinInformation

Microsoft Enhanced RSA and AES Cryptographic Provider

shell:::{871C5380-42A0-1069-A2EA-08002B30309D}

fB943

.rsrc$02

IE_EUPP

Mangal

xN9u8t

NoEditingSubscriptions

_unlock

UrlApplySchemeW

t$ A^

-extoff

NoHelpItemSendFeedback

ForceAssoc

MaxChannelSize

en-US

FindNextFileW

?.u%H

OLEAUT32.dll

kernel32.dll

Nyala

%.*s%s%s=%s%.*s

.text$di

FindClose

https://yandex.com.tr/search/?text={searchTerms}&clid=2233630

FORM=IESS4A

{871C5380-42A0-1069-A2EA-08002B30309D}

IEFixedFontName

GulimChe

VWATAVAWH

GetTempPathW

about:newsfeed

\$0E3

GetCurrentProcessId

NoBandCustomize

ro-MD

L$XH3

Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}

https://ieonline.microsoft.com/EUPP/v1/service?action=needfirstrun&appid=Microsoft_IE_EUPP

RegCreateKeyExW

ConvertStringSidToSidW

InternetCanonicalizeUrlW

.rdata$zETW0

A_A^A]A\_^

DisableTelemetryOptInChangeNotification

jshost.exe

Rich-]

euppid

D$`L9o

DelayLoadFailureHook

WaitForSingleObjectEx

AddPolicySearchProviders

FORM=IEMAD2

UTCReplace_AppSessionGuid

StrCmpNIW

In CmdSpadReinstall

FORM=IENSS1

Z)4U1m

fA9(tsM

RegCreateKeyW

f9l$@

@USWH

"}U2:

CoTaskMemFree

DaunPenh

PostThreadMessageW

{startPage

D9?v;H

.CRT$XIZ

https://yandex.kz/search/?text={searchTerms}&clid=2233627

Btn_History

<f12ua category="non-desktop" name="IE - Xbox 360">Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)</f12ua>

GetShortPathNameW

!This program cannot be run in DOS mode.

In MigrateWinInetCache

Msg:[%ws]

@A^_^

fA9<Fu

Lct$$H

A_A^A]A\_^[

_EUPP_

https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query={searchTerms}

T$PfD

\VarFileInfo\Translation

A^_^[]

QueryPerformanceFrequency

E;4$r

USER32.dll

GetCurrentThread

A^A\_

StrCmpNW

t"D8=

Restrictions

|$`H;

D$ fD

tHA;.tH3

L9{@u

OpenSemaphoreW

MIE-ContextMenu

HeapSetInformation

\$(E3

NoChannelLogging

;|$0r

f9H\u

EnterCriticalSection

.CRT$XCU

\$ E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

NoLinksBar

Btn_Encoding

SetProcessInformation

Accessories\System Tools\Internet Explorer (No Add-ons)

http://go.microsoft.com/fwlink/p/?LinkId=255141

-BaseSettings

CryptGetHashParam

%hs(%d) tid(%x) %08X %ws

https://ieonline.microsoft.com/EUPP/v1/service?action=setfirstruncomplete&appid=Microsoft_IE_EUPP

FORM=IENSD1

GetCurrentProcess

Adobe\Flash Player\NativeCache

{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

MV Boli

SYSPREP.EXE

D$(0u

K SWH

iertutil.dll

NoBrowserSaveAs

authhost.exe

NoDefaultTextSize

<assemblyIdentity version="1.0.0.0"

fD9#u

LocalFree

DisableTelemetryOptInSettingsUx

D$8E3

</assembly>

CryptBinaryToStringA

.didat$3

onecore\base\telemetry\permission\product\telemetrypermission.cpp

NoExpandedNewMenu

Translation

A_A^A]A\_^]

CryptImportPublicKeyInfo

H!]83

FORM=IENSE1

(A_A^A]A\_^][

NoRemovingChannels

OleUninitialize

WilError_02

GetNamedSecurityInfoW

9|$0t!H

CryptCreateHash

wcsncmp

GetTempFileNameW

ProductVersion

FlushFileBuffers

Btn_Panning

.stls

t$PE3

.didat$4

Missing

MaxWebcrawlLevels

_onexit

IsValidSid

In CmdIexploreUserConfig

D$p3D$x

.CRT$XIAA

@A_A^A\_^[]

-IECleanup

UpdateExcludeEnd

A_A^A\_^[]

;|$Xr

CryptStringToBinaryW

D$0E3

Euphemia

.idata$2

<f12ua category="non-desktop" name="IE10 - Windows Phone 8">Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch)</f12ua>

https://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02

x AVH

FORM=IEMSE2

CodeIntegrity.Telemetry

IE4UINIT

Btn_Cut

D9k0u L

<f12ua category="desktop" name="Internet Explorer 9">Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)</f12ua>

_ultow_s

ieuinit.inf

|$PE3

-UpgradeOldHistoryEntries

FirstLogonAnim.exe

IEXPLORE.EXE

.tls$

NoSubscriptionPasswords

L$HL+

SpecifyDefaultButtons

sessionID

.xdata

InternetCloseHandle

.gfids

CryptDestroyHash

TelemetryPermission-DefaultLevel

https://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR

ExecuteCabW

D8d$0uIH

D9ePA

NoAddingChannels

%hs(%d)\%hs!%p:

Simplified Arabic Fixed

IE4UINIT.EXE

Unable to get exit code. Error: 0x%1!08lx!

@.didat

msn.cn

GetModuleHandleExW

_cexit

ie4uinit.pdb

GetLocalTime

x09t$ht*

|$0E3

L$hE;

FORM=IESR4S

t$ WATAUAVAWH

GetLastError

@USVWATAUAVAWH

UWAWH

_commode

D$8L!D$0

Accessories\Internet Explorer

LogHr

FORM=IESR02

_amsg_exit

SHSetValueW

t$@H9q(tuH

SIGNUP

A_A]A\_]

?terminate@@YAXXZ

CommandLineToArgvW

FORM=IEMAE2

\\?\UNC\

Command Result: 0x%1!08lx!

H!|$(H

U@H!}@H

searchscope

pA_A^A]A\_^]

t39.r&D

<f12ua category="desktop" name="Internet Explorer 11">Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko</f12ua>

@A^^]

<?xml version="1.0" encoding="utf-8" ?>

-reinstall

A_A^A]A\]

A_A^A]_]

v&=tM

tef91t`A

GetSystemInfo

\StringFileInfo\040904E4\%s

CopySid

Software\microsoft\Internet Explorer\Main

_wfopen_s

`.rdata

NoInstrumentation

D$@H;

RegQueryInfoKeyW

NoTheaterMode

FORM=IEMSD1

RegCloseKey

pickerhost.exe

fD97u

0A_A^A\_]

SHCreateDirectoryExW

fA9,\u

https://suggest.yandex.ru/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627

_vsnwprintf_s

microsoftedgedevtools.exe

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x00024b90	0x00042405	0x00042405	10.0	ie4uinit.pdb	1994-12-23 03:34:16	3f4c1ed5e1307191d811b4ad62661a11

Version Infos

CompanyName	Microsoft Corporation
FileDescription	IE Per-User Initialization Utility
FileVersion	11.00.17763.1 (WinBuild.160101.0800)
InternalName	IE4UINIT
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	IE4UINIT.EXE
ProductName	Internet Explorer
ProductVersion	11.00.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002497c	0x00024a00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.31
.rdata	0x00024e00	0x00026000	0x0000ea34	0x0000ec00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.64
.data	0x00033a00	0x00035000	0x00001260	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.16
.pdata	0x00034200	0x00037000	0x00001a1c	0x00001c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.13
.didat	0x00035e00	0x00039000	0x00000028	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.34
.rsrc	0x00036000	0x0003a000	0x00001560	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.26
.reloc	0x00037600	0x0003c000	0x000004e8	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.91

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0003b490	0x000000d0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.70	None
RT_RCDATA	0x0003a8a0	0x00000bea	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.43	None
RT_VERSION	0x0003a520	0x00000380	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.49	None
RT_MANIFEST	0x0003a140	0x000003db	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.84	None

Imports

Name	Address
RegQueryValueExW	0x140027530
RegEnumValueW	0x140027538
ConvertSidToStringSidW	0x140027540
EventUnregister	0x140027548
RegOpenKeyExW	0x140027550
FreeSid	0x140027558
RegSetValueExW	0x140027560
EventSetInformation	0x140027568
RegCreateKeyExW	0x140027570
EventRegister	0x140027578
RegCloseKey	0x140027580
RegSetValueW	0x140027588
RegOpenKeyW	0x140027590
RegDeleteValueW	0x140027598
RegCreateKeyW	0x1400275a0
RegEnumKeyExW	0x1400275a8
RegDeleteKeyW	0x1400275b0
RegQueryInfoKeyW	0x1400275b8
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x1400275c0
CheckTokenMembership	0x1400275c8
GetTokenInformation	0x1400275d0
OpenThreadToken	0x1400275d8
CryptSetKeyParam	0x1400275e0
CryptDeriveKey	0x1400275e8
CryptGetKeyParam	0x1400275f0
CryptEncrypt	0x1400275f8
CryptDestroyKey	0x140027600
CryptVerifySignatureW	0x140027608
CryptSetHashParam	0x140027610
CryptGenRandom	0x140027618
CryptDestroyHash	0x140027620
CryptGetHashParam	0x140027628
CryptHashData	0x140027630
CryptCreateHash	0x140027638
CryptReleaseContext	0x140027640
CryptAcquireContextW	0x140027648
EventWriteEx	0x140027650
RegGetValueW	0x140027658
EventWriteTransfer	0x140027660
GetSecurityDescriptorSacl	0x140027668
GetAce	0x140027670
SetNamedSecurityInfoW	0x140027678
CopySid	0x140027680
GetNamedSecurityInfoW	0x140027688
ConvertStringSidToSidW	0x140027690
IsValidSid	0x140027698
OpenProcessToken	0x1400276a0
GetKernelObjectSecurity	0x1400276a8
AddAccessAllowedAceEx	0x1400276b0
GetLengthSid	0x1400276b8

Name	Address
GetCurrentThread	0x140027778
OpenFileMappingW	0x140027780
GetSystemDirectoryW	0x140027788
GetEnvironmentVariableW	0x140027790
SetErrorMode	0x140027798
GetModuleFileNameW	0x1400277a0
HeapFree	0x1400277a8
GetExitCodeProcess	0x1400277b0
GetTempFileNameW	0x1400277b8
DuplicateHandle	0x1400277c0
GetTempPathW	0x1400277c8
CompareStringOrdinal	0x1400277d0
ExpandEnvironmentStringsW	0x1400277d8
GetStdHandle	0x1400277e0
GetLocalTime	0x1400277e8
CreateThread	0x1400277f0
SetEvent	0x1400277f8
FormatMessageW	0x140027800
CreateEventW	0x140027808
WaitForSingleObject	0x140027810
SetFilePointer	0x140027818
lstrcmpW	0x140027820
GetTickCount	0x140027828
DelayLoadFailureHook	0x140027830
ResolveDelayLoadedAPI	0x140027838
CreateFile2	0x140027840
RemoveDirectoryW	0x140027848
QueueUserWorkItem	0x140027850
QueryPerformanceFrequency	0x140027858
CreateProcessW	0x140027860
SetCurrentDirectoryW	0x140027868
GetCurrentDirectoryW	0x140027870
FlushViewOfFile	0x140027878
SystemTimeToFileTime	0x140027880
GetSystemTime	0x140027888
MapViewOfFile	0x140027890
CreateFileMappingW	0x140027898
FlushFileBuffers	0x1400278a0
SetEndOfFile	0x1400278a8
LCMapStringW	0x1400278b0
GetFullPathNameW	0x1400278b8
OpenMutexW	0x1400278c0
GetFileSizeEx	0x1400278c8
SetFileTime	0x1400278d0
UnmapViewOfFile	0x1400278d8
MultiByteToWideChar	0x1400278e0
CreateMutexW	0x1400278e8
LocaleNameToLCID	0x1400278f0
DeleteCriticalSection	0x1400278f8
LoadLibraryW	0x140027900
GetSystemInfo	0x140027908
GetSystemDefaultLocaleName	0x140027910
GetUserPreferredUILanguages	0x140027918
InitializeCriticalSection	0x140027920
LeaveCriticalSection	0x140027928
GetProductInfo	0x140027930
GetUserDefaultLocaleName	0x140027938
EnterCriticalSection	0x140027940
VirtualAlloc	0x140027948
GetFileAttributesW	0x140027950
IsDebuggerPresent	0x140027958
DebugBreak	0x140027960
CreateMutexExW	0x140027968
OpenSemaphoreW	0x140027970
WaitForSingleObjectEx	0x140027978
OutputDebugStringW	0x140027980
ReleaseMutex	0x140027988
LocalAlloc	0x140027990
GetModuleHandleExW	0x140027998
ReleaseSemaphore	0x1400279a0
SetLastError	0x1400279a8
CreateSemaphoreExW	0x1400279b0
GetModuleFileNameA	0x1400279b8
FindResourceW	0x1400279c0
LoadResource	0x1400279c8
CloseHandle	0x1400279d0
DeleteFileW	0x1400279d8
LockResource	0x1400279e0
GetVersionExA	0x1400279e8
SetFileAttributesW	0x1400279f0
GetVersionExW	0x1400279f8
CreateFileW	0x140027a00
FindClose	0x140027a08
GetShortPathNameW	0x140027a10
WriteFile	0x140027a18
GetCurrentProcess	0x140027a20
FindNextFileW	0x140027a28
SetPriorityClass	0x140027a30
FindFirstFileExW	0x140027a38
FindFirstFileW	0x140027a40
SizeofResource	0x140027a48
ReadFile	0x140027a50
LoadLibraryExW	0x140027a58
VerifyVersionInfoW	0x140027a60
FreeLibrary	0x140027a68
GetModuleHandleW	0x140027a70
GetProcessHeap	0x140027a78
VerSetConditionMask	0x140027a80
LocalFree	0x140027a88
GetProcAddress	0x140027a90
HeapAlloc	0x140027a98
HeapSetInformation	0x140027aa0
RaiseException	0x140027aa8
GetLastError	0x140027ab0
Sleep	0x140027ab8
GetStartupInfoW	0x140027ac0
UnhandledExceptionFilter	0x140027ac8
SetUnhandledExceptionFilter	0x140027ad0
TerminateProcess	0x140027ad8
ReleaseSRWLockExclusive	0x140027ae0
AcquireSRWLockExclusive	0x140027ae8
WakeAllConditionVariable	0x140027af0
SleepConditionVariableSRW	0x140027af8
QueryPerformanceCounter	0x140027b00
GetCurrentProcessId	0x140027b08
GetCurrentThreadId	0x140027b10
GetSystemTimeAsFileTime	0x140027b18
RaiseFailFastException	0x140027b20
InitOnceExecuteOnce	0x140027b28
IsWow64Process	0x140027b30
GetNativeSystemInfo	0x140027b38
WideCharToMultiByte	0x140027b40

Name	Address
CharNextW	0x140027d70
GetMessageW	0x140027d78
PostThreadMessageW	0x140027d80
PostMessageW	0x140027d88
LoadStringW	0x140027d90
GetShellWindow	0x140027d98
SendMessageTimeoutW	0x140027da0

Name	Address
isalnum	0x140027f98
strnlen	0x140027fa0
wcsnlen	0x140027fa8
wcsncpy_s	0x140027fb0
_vsnwprintf_s	0x140027fb8
rand_s	0x140027fc0
wcscat_s	0x140027fc8
wcscpy_s	0x140027fd0
wcsncmp	0x140027fd8
wcschr	0x140027fe0
_wtoi	0x140027fe8
_wcsicmp	0x140027ff0
sprintf_s	0x140027ff8
wcsrchr	0x140028000
swscanf_s	0x140028008
_wfopen_s	0x140028010
fclose	0x140028018
fgetws	0x140028020
_XcptFilter	0x140028028
_amsg_exit	0x140028030
__wgetmainargs	0x140028038
__set_app_type	0x140028040
exit	0x140028048
iswalpha	0x140028050
_wcsnicmp	0x140028058
_time64	0x140028060
memcpy_s	0x140028068
_vsnwprintf	0x140028070
_exit	0x140028078
_cexit	0x140028080
_CxxThrowException	0x140028088
memcmp	0x140028090
_ultow_s	0x140028098
__setusermatherr	0x1400280a0
_initterm	0x1400280a8
__C_specific_handler	0x1400280b0
?terminate@@YAXXZ	0x1400280b8
??1type_info@@UEAA@XZ	0x1400280c0
_onexit	0x1400280c8
__dllonexit	0x1400280d0
_unlock	0x1400280d8
_lock	0x1400280e0
_commode	0x1400280e8
_fmode	0x1400280f0
_wcmdln	0x1400280f8
memset	0x140028100

Name	Address
CommandLineToArgvW	0x140027be0
SHGetKnownFolderPath	0x140027be8
SHChangeNotify	0x140027bf0
SHCreateItemFromParsingName	0x140027bf8
SHGetSpecialFolderLocation	0x140027c10
SHSetLocalizedName	0x140027c18
SHGetDesktopFolder	0x140027c28
SHGetFolderPathW	0x140027c30
SHCreateDirectoryExW	0x140027c38
SHGetSpecialFolderPathW	0x140027c40

Name	Address
RtlLookupFunctionEntry	0x140028110
RtlVirtualUnwind	0x140028118
RtlCaptureContext	0x140028120
NtQueryLicenseValue	0x140028128

Name	Address
ExecuteCabW	0x140027768

Name	Address
StrTrimW	0x140027c50
StrCmpIW	0x140027c58
SHRegSetUSValueW	0x140027c60
StrCmpNIW	0x140027c68
SHCopyKeyW	0x140027c70
PathFileExistsW	0x140027c80
UrlCanonicalizeW	0x140027c88
PathIsURLW	0x140027c90
StrCmpNIA	0x140027c98
SHDeleteKeyW	0x140027ca0
PathRemoveBlanksW	0x140027cb0
PathFindFileNameW	0x140027cb8
PathRemoveExtensionW	0x140027cc0
SHGetValueW	0x140027cc8
SHSetValueW	0x140027cd0
SHDeleteValueW	0x140027cd8
SHRegGetUSValueW	0x140027ce0
SHRegDeleteUSValueW	0x140027ce8
StrStrW	0x140027cf0
StrCmpNA	0x140027d08
StrCmpNW	0x140027d10
UrlEscapeW	0x140027d18
UrlUnescapeW	0x140027d20
StrCmpW	0x140027d28
UrlCreateFromPathW	0x140027d40
UrlApplySchemeW	0x140027d48
PathIsNetworkPathW	0x140027d50
SHStrDupW	0x140027d58
StrStrIW	0x140027d60

Name	Address

Name	Address
VarBstrCmp	0x140027b78
VariantCopy	0x140027b80
SysAllocStringByteLen	0x140027b88
SysStringByteLen	0x140027b90
SysAllocStringLen	0x140027b98
SysStringLen	0x140027ba0
VariantInit	0x140027ba8
VariantClear	0x140027bb0
SysFreeString	0x140027bb8
VarBstrCat	0x140027bc0
SysAllocString	0x140027bc8

Name	Address
CoTaskMemFree	0x140028138
OleInitialize	0x140028140
CoInitializeEx	0x140028148
PropVariantClear	0x140028150
CoTaskMemAlloc	0x140028158
CoCreateInstance	0x140028160
StringFromGUID2	0x140028168
OleUninitialize	0x140028170
CoUninitialize	0x140028178
CoCreateGuid	0x140028180

Name	Address
BrandIEActiveSetup	0x140027e20

Name	Address
CertEnumCertificatesInStore	0x1400276c8
CryptStringToBinaryA	0x1400276d0
CryptBinaryToStringA	0x1400276d8
CertGetIntendedKeyUsage	0x1400276e0
CertGetEnhancedKeyUsage	0x1400276e8
CryptStringToBinaryW	0x1400276f0
CertGetNameStringW	0x1400276f8
CertOpenStore	0x140027700
CertCreateCertificateContext	0x140027708
CertAddCertificateContextToStore	0x140027710
CertFreeCertificateContext	0x140027718
CertCloseStore	0x140027720
CertFindCertificateInStore	0x140027728
CertGetCertificateChain	0x140027730
CertVerifyCertificateChainPolicy	0x140027738
CertFreeCertificateChain	0x140027740
CryptImportPublicKeyInfo	0x140027748
CryptHashCertificate	0x140027750
CertGetCertificateContextProperty	0x140027758

Name	Address
CreateIUriBuilder	0x140028190
CreateUri	0x1400281a0

Name	Address
InternetOpenW	0x140027dd0
InternetCloseHandle	0x140027dd8
HttpSendRequestW	0x140027de0
InternetCrackUrlW	0x140027de8
InternetCanonicalizeUrlW	0x140027df0
InternetReadFile	0x140027df8
HttpOpenRequestW	0x140027e00
InternetConnectW	0x140027e08
HttpQueryInfoW	0x140027e10

Name	Address
NetGetJoinInformation	0x140027b60
NetApiBufferFree	0x140027b68

Name	Address
GetFileVersionInfoExW	0x140027db0
VerQueryValueW	0x140027db8
GetFileVersionInfoSizeExW	0x140027dc0

Name	Address

Reports: JSON

Statistics (11.51)

Usage

Processing ( 11.45 seconds )

10.639 ProcessMemory
0.775 CAPE
0.028 AnalysisInfo
0.008 BehaviorAnalysis
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: ie4uinit.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: ie4uinit.exe, PID 6612

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00035e00', 'virtual_address': '0x00039000', 'virtual_size': '0x00000028', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.34'}

Binary file triggered YARA rule

Binary triggered YARA rule: INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6612 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

USER32

msvcrt

SHELL32

ntdll

IEADVPACK

SHLWAPI

iertutil

OLEAUT32

ole32

iedkcs32

CRYPT32

urlmon

WININET

NETAPI32

VERSION

MLANG