Analysis Report api-cdef.dll

Overview

General Information

Sample Name:	api-cdef.dll
Analysis ID:	322815
MD5:	2d5b9149b114cadb78fe41559bed2a56
SHA1:	b59feb76712bd0e1c771d1e6a3100092beb189fa
SHA256:	8e26f5aa9819577eae281dc6e0f91703e82a8eb63c68f12a48071c8193ecdd90
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Gozi e-Banking trojan

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Contain functionality to detect virtual machines

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found PHP interpreter

Found Tor onion address

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: Suspicious Svchost Process

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to read device registry values (via SetupAPI)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: api-cdef.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: api-cdef.dll	Virustotal: Detection: 56%			Perma Link
Source: api-cdef.dll	ReversingLabs: Detection: 74%

Machine Learning detection for sample

Source: api-cdef.dll

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_6E1F2FCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	1_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	8_2_005B18B0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	8_2_00595ABC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	8_2_00595668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	19_2_6E1F2FCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	19_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000818B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	31_2_000818B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	31_2_00065ABC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	31_2_00065668

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0058932C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,

8_2_0058932C

Networking:

Found Tor onion address

Source: svchost.exe, 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
Source: svchost.exe, 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.248.118.23 87.248.118.23
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365.net/hp-neu/sc/9b/e151e5.gif" /> <span>BUNTE.de</span> equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000009.00000000.307892520.000000000F6C0000.00000004.00000001.sdmp	String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3652 equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81fbef9f,0x01d6c3be</date><accdate>0x81fbef9f,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81fbef9f,0x01d6c3be</date><accdate>0x81fbef9f,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x81fe51f2,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x81fe51f2,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x81fe51f2,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x8200b452,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, equals www.hotmail.com (Hotmail)
Source: iexplore.exe, 00000004.00000003.395712317.0000000012A10000.00000004.00000001.sdmp	String found in binary or memory: lobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0hweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3654 equals www.hotmail.com (Hotmail)
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444461031.0000027B354BE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444461031.0000027B354BE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0L
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000003.433509351.000000000F57C000.00000004.00000040.sdmp, svchost.exe	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: svchost.exe, 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: iexplore.exe, 00000004.00000003.345458220.0000000012758000.00000004.00000001.sdmp	String found in binary or memory: http://contextual.media.net/r.php?Die
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000009.00000000.308028737.000000000F782000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigW
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439432155.0000026BA2173000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
Source: iexplore.exe, 00000004.00000003.308704033.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiDDz
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: svchost.exe, 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439432155.0000026BA2173000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0E
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0F
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0G
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 00000004.00000003.300028385.000000000984D000.00000004.00000001.sdmp	String found in binary or memory: http://popup.ta
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/ge(k
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanI
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanQ
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanR
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germaniehp0
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanl
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanq
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 00000004.00000003.291535405.00000000109BC000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.341811091.0000000009C03000.00000004.00000001.sdmp	String found in binary or memory: http://searchads.msn.net/Aktuelle_Hypothekenzinsen.cfm?&lgplp=jf75EJ%3AQJ778zy&ktr=1&&vi=16063401756
Source: iexplore.exe, 00000004.00000003.342378419.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp	String found in binary or memory: http://searchads.msn.net/Testsieger_Matratzen_der_Stiftung_Warentest.cfm?&lgplp=jf75EJ%3AQJ778zy&ktr
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoo
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444461031.0000027B354BE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/F
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325254146.000002D90362E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439568562.0000026BA21CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/license/3_0.txt
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/license/3_0.txtT
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/license/3_0.txte
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: http://www.zend.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: iexplore.exe, 00000004.00000003.299337875.0000000009B6E000.00000004.00000001.sdmp	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendatioL
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.323867161.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.319078932.000000001082E000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.342440582.0000000010831000.00000004.00000001.sdmp	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&app.ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299337875.0000000009B6E000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.342440582.0000000010831000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=ZSoKBJAGIS9znv53GGqtBHT.e7RqhcLi9oPkKos96o16hbBa
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=ZSoKBJAGIS9znv53GGqtBHT.e7RqhcLi9oPkKos96o16hbBa70bC
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cookielaw.org/logos/static/poweredBy_ot_logo.svg
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cookielaw.org/logos/static/poweredBy_ot_logo.svgt
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cookielaw.org/logos/static/poweredBy_ot_logo.svgy
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656AAA
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: iexplore.exe, 00000004.00000003.329328948.0000000009C69000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net&https=1&act=headerBid&prvReqId=225808175442171731606372576076&erTr=0&hl
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291426480.0000000009481000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net&https=1&act=headerBid&prvReqId=486542288040879901606372575645&erTr=0&hl
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js$
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js=8CU157172&crid=858412214&size=306x271&https=14#
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js=8CU157172&crid=858412214&size=306x271&https=1h
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsCe
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsW
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsrq
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsuf
Source: iexplore.exe, 00000004.00000003.306912934.000000001275A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291535405.00000000109BC000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1#
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=159
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=15CYII=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=18%
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1?v=99-862
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1E)
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1G
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1M;
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1N%v
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1S#
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1e8t
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1u%_
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1u;D
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1#
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1%;4
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1&https=1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1.y
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=18
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Y
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1annerSdk.
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1e
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1g
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1m9
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1~ve
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/n
Source: iexplore.exe, 00000004.00000003.297693605.00000000095DE000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329328948.0000000009C69000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291426480.0000000009481000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/rtbsmpubs.php?&gdpr=0&gdprconsent=1&usp_enf=1&usp_status=0&cid=8HBI57XI
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.netO
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9Hxw
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9lTys
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9ryY
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9vx
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.309550355.000000000667D000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9&
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9dvC
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9h
Source: iexplore.exe, 00000004.00000003.345433404.0000000012751000.00000004.00000001.sdmp	String found in binary or memory: https://dap.media.nethttps://lg3.media.nethttps://www.mnetads.net
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelredateWed
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.net/
Source: iexplore.exe, 00000004.00000003.290829943.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.net/log?logid=aplog&pid=8PR68Q253&itype=HB-CM&dn=msn.com&cid=8HBI57XIG&svr=202011
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291559132.00000000109E8000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA3DGHW?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJwziK?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAK6w2d?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=j
Source: iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAkqhIf?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAuTnto?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzb5EX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14EN7h?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB15AQNm?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.291559132.00000000109E8000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUsw7?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ardZ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: iexplore.exe, 00000004.00000003.321698798.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkDP8?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkQKt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blQnh?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blSc1?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blTcc?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blpIM?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bm6pW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bm7i2?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmBxA?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmbBn?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.291559132.00000000109E8000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmfFl?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmgfo?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmiEZ?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmkAU?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmlu4?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmmKP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329921220.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmmvx?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmuG6?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmuij?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329921220.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmzoc?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB4j8lS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngc
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBF08Nm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBK9Ri5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBXXVfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.321288179.0000000010891000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-t
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-taboola
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-taboola.com/
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-taboola.com/taboola/image/f
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=XFGp_OAGIS_bOjWI2BdDTEP.5YECYBL48vY1q.SjUbez
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: iexplore.exe, 00000004.00000003.341811091.0000000009C03000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.297693605.00000000095DE000.00000004.00000001.sdmp	String found in binary or memory: https://iurl-a.akamaihd.net/ybntag?
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/=
Source: iexplore.exe, 00000004.00000003.292027102.0000000009B5C000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/bqi.php?lf=5&&vgd_l2type=setting&pid=8PO8WH2OT&cme=iqXtbLqMsM7HN9t08hPKXQYgdks
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1606340173&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1606340173&rver=7.0.6730.0&am
Source: iexplore.exe, 00000004.00000003.290667593.00000000062C5000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1606340173&rver=7.0.6730.0&wp=LBI&wreply=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1606340174&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1606340173&rver=7.0.6730.0&w
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: iexplore.exe, 00000004.00000003.290667593.00000000062C5000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://objectivepartners.com/cookie-policy-and-privacy-
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_headerE;H
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://onetrust.com/poweredbyonetrusty
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: https://opensource.org/licenses/PHP-3.0
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/h).
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&referrer=utm_
Source: iexplore.exe, 00000004.00000003.307928157.00000000062B2000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iexplore.exe, 00000004.00000003.329889814.00000000093DA000.00000004.00000001.sdmp	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html5
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.htmlt-pc-Q
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.htmlx-heig
Source: iexplore.exe, 00000004.00000003.318372854.0000000009D08000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: iexplore.exe, 00000004.00000003.308704033.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xmlY
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xmlcom
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291535405.00000000109BC000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp	String found in binary or memory: https://s.yie
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/T
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330636961.0000000010860000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/av/ads/1605088252233-7172.jpg
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/av/ads/1605088252233-7172.jpg0
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/av/ads/1605088252233-7172.jpgeckoe
Source: iexplore.exe, 00000004.00000003.292027102.0000000009B5C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299337875.0000000009B6E000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/oAeAE7g.4uDJvxEGd4fmcw--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/oAeAE7g.4uDJvxy(VL
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://srtb.msn.com/
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=2bb92a0fe5d3485b9240c75ea7f76d67&c=MSN&d=https%3A%2F%2Fwww.ms
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://srtb.msn.com/f
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=2bb92a0fe5d3485b9240c75ea7f76d67&r=infopane&i=2&
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net//
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/044-a445-435b-bc74-9c25c1c588a9
Source: iexplore.exe, 00000004.00000003.290829943.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/11e4956/webcore/externalscripts/oneTrustV2/scripttempl
Source: iexplore.exe, 00000004.00000003.340781361.00000000094A9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/98
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/Accept-Language:
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/J
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/_
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/ernalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290674521.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-4ce2ee7a/direct
Source: iexplore.exe, 00000004.00000003.308156586.00000000094F2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-a9cf7dee/directi
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png(d
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png;d
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.pngv
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, imagestore.dat.4.dr, ~DFD4EED12F40708B65.TMP.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icomuK
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/3b/f194d7.ttf
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gifre/externalscripts/jquery/jquer
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpgre/externalscripts/jquery/jquer
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.pngBdc
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.pngTeu
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.pngipttemplates/otSDKStub.js
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woffC:
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woffq
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3DGHW.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.359081341.00000000096BB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358977818.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwziK.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.357949097.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAK6w2d.img?h=250&w=20
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAkqhIf.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzb5EX.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.344476323.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.309680968.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: iexplore.exe, 00000004.00000003.298137448.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.342378419.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359259929.00000000096F4000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.343961731.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=6
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15NLgx.img?h=166&amp
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15NLgx.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292027102.0000000009B5C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aUsw7.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&
Source: iexplore.exe, 00000004.00000003.319909564.00000000094AE000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bkDP8.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bkQKt.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bkSQQ.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blQeY.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blQnh.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blSc1.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.291674064.00000000107C4000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blTcc.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blVmS.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330816680.00000000108FF000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blpIM.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bm3PZ.img?h=250&w=3
Source: iexplore.exe, 00000004.00000003.308753962.00000000107C4000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bm6pW.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.319909564.00000000094AE000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bm7i2.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmBxA.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmBxD.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.358977818.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358574338.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmbBn.img?h=250&w=2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmdIp.img?h=333&amp
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmdIp.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308753962.00000000107C4000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmf1B.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmfFl.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308753962.00000000107C4000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmgfo.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299374866.0000000009B82000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiEZ.img?h=250&w=2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiuF.img?h=166&amp
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiuF.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiyP.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.308428822.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmkAU.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmlu4.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmmKP.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.341444269.00000000096B9000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329419815.00000000107C6000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmmvx.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmpXV.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmtMh.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmuG6.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmuij.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmusM.img?h=250&w=3
Source: iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmuw8.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.342440582.0000000010831000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.340781361.00000000094A9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmzoc.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB4j8lS.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
Source: iexplore.exe, 00000004.00000003.307898178.0000000010B47000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.344476323.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.309680968.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBF08Nm.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308156586.00000000094F2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Ri5.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBXXVfm.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.290829943.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/msn-com.akamaized.net/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://tcf.cookiepedia.co.uk?lang=de
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://tcf.cookiepedia.co.uk?lang=deo
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/l)
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/n._
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/I
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.357949097.00000000093C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358017863.00000000093DA000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.341885358.0000000010740000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.318982814.0000000009757000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?ver=
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripeng
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-elec
Source: iexplore.exe, 00000004.00000003.309550355.000000000667D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-electro
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-gross
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-trends
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.converto.com/datenschutz-privacy-policy
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439432155.0000026BA2173000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.mintegral.com/en/privacy/
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFl
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
Source: iexplore.exe, 00000004.00000003.308156586.00000000094F2000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.jsl=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: iexplore.exe, 00000004.00000003.290374155.000000000943C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp%
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp%2
Source: iexplore.exe, 00000004.00000003.341249351.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: iexplore.exe, 00000004.00000003.395712317.0000000012A10000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsbundleper
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp(
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp)uD
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp-
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp.
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp0
Source: iexplore.exe, 00000004.00000003.297006363.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp4
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp8
Source: iexplore.exe, 00000004.00000003.330593455.0000000009BFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp9
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp:
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp?
Source: iexplore.exe, 00000004.00000003.290374155.000000000943C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpB
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpC
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpE
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpJ
Source: iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.307892520.000000000F6C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMini-H
Source: iexplore.exe, 00000004.00000003.290374155.000000000943C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpR
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpU
Source: iexplore.exe, 00000004.00000003.396893937.00000000126E5000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.396920386.00000000126E6000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpY_f7c7e663-889f-40e7-abde-fe175c30742eY_f7c7e663-889f-40e7-abde-
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpZ
Source: iexplore.exe, 00000004.00000003.330593455.0000000009BFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp_Nk
Source: iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpaccept-languageen-USaccept-encodinggzip
Source: iexplore.exe, 00000004.00000003.291600131.000000001073F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpaccept-languageen-USuser-agentMozilla/5.0
Source: iexplore.exe, 00000004.00000003.330816680.00000000108FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpay
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpc
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpe
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpe(
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpfW
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpg
Source: iexplore.exe, 00000004.00000003.330593455.0000000009BFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphcLa
Source: iexplore.exe, 00000004.00000003.345309349.00000000126D5000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.396893937.00000000126E5000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.396920386.00000000126E6000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphttps://www.msn.com/de-ch/?ocid=iehpY_f7c7e663-889f-40e7-abde-fe
Source: iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpie-#
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpikD
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpk
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpnin
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpo
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpp
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpp4
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehppe
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehppt
Source: iexplore.exe, 00000004.00000003.330434948.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpst
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehptst
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehptt)
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpv
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpw
Source: iexplore.exe, 00000004.00000003.309363854.00000000108FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpx
Source: iexplore.exe, 00000004.00000003.309363854.00000000108FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpzy
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/autos/nachrichten/wie-umweltschonend-ist-campingurlaub-studie-zur-klimabil
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/lifestyle/horoskope/fische-kostenlose-tageshoroskop/ar-AAyAPSK
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisenC9
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/other/toter-h%c3%a4ftling-war-verurteilt-wegen-t%c3%b6tung-in-
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/achteinhalb-jahre-freiheitsstrafe-f%c3%bcr-53-j%c3%a4hrige-frau
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/als-daniel-bumann-kommt-flieht-der-bacco-wirt/ar-BB1bjWhc?ocid=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/arzt-untersucht-patientin-wegen-husten-vaginal-und-anal/ar-BB1b
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-pr%c3%a4sident-der-katholischen-synode-des-kantons-z%c3%bcr
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-ring-war-wohl-nicht-lange-am-finger-der-besitzerin/ar-BB1bl
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-stadt-z%c3%bcrich-wird-ihre-akw-anteile-nicht-los/ar-BB1bm4
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ein-grosser-schritt-f%c3%bcr-schwamendingen-der-z%c3%bcrcher-ge
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/primarsch%c3%bclerin-jahrelang-von-freund-der-familie-missbrauc
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/vagina-untersuch-war-klar-sexuell-motivierte-handlung/ar-BB1blP
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/weshalb-eine-harmlose-homestory-%c3%bcber-eine-pferdehalterin-a
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/t
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/j
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: iexplore.exe, 00000004.00000003.290667593.00000000062C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4.
Source: iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.comdia.net
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.comt
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iexplore.exe, 00000004.00000003.299591707.0000000006643000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iexplore.exe, 00000004.00000003.299591707.0000000006643000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msnv
Source: svchost.exe, 00000008.00000002.325064412.000002D903613000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.435947149.000001F28A213000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/F
Source: svchost.exe, 0000001F.00000002.436701368.000001F28A276000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436511249.000001F28A263000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txt
Source: svchost.exe, 00000008.00000002.325064412.000002D903613000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.435947149.000001F28A213000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txt/dll
Source: svchost.exe, 00000008.00000002.325394161.000002D903674000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436701368.000001F28A276000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txtLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExpir
Source: RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txtP
Source: RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txturii
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txtw
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_01.txt
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.protected.media/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_de&utm_co
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm_content=sho
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.skype.com/t
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=undefine
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.united-internet-media.de/de/datenschutzhinweis/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls	1_2_6E1F2FCE
Source: C:\Windows\System32\svchost.exe	Code function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff	8_2_00581FFC
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie	8_2_00581FFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls	19_2_6E1F2FCE
Source: C:\Windows\System32\svchost.exe	Code function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff	31_2_00051FFC
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie	31_2_00051FFC

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Source: 8.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif Payload Author: kevoreilly & enzo
Source: 31.2.svchost.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif Payload Author: kevoreilly & enzo

Found PHP interpreter

Source: iexplore.exe, 00000003.00000003.445502720.00000244A0C92000.00000004.00000040.sdmp	String found in binary or memory: ited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: iexplore.exe, 00000003.00000003.368839717.00000244A06D1000.00000004.00000040.sdmp	String found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: explorer.exe, 00000009.00000003.433725046.000000000F283000.00000004.00000040.sdmp	String found in binary or memory: ding but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: explorer.exe, 00000009.00000003.433703656.000000000F281000.00000004.00000040.sdmp	String found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 0000001B.00000003.453940593.0000026BA2194000.00000004.00000001.sdmp	String found in binary or memory: s on behalf of the PHP Group.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_6E1F241D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2D19 ReadFile,NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_6E1F2D19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F4904 NtMapViewOfSection,RtlNtStatusToDosError,	1_2_6E1F4904
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_6E1F2E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	1_2_6E1F4943
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,ReadFile,ReadFile,	1_2_6E1F2492
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2D8F NtGetContextThread,NtGetContextThread,RtlNtStatusToDosError,	1_2_6E1F2D8F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F3D87 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	1_2_6E1F3D87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_6E1F2286
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2885 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_6E1F2885
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,	1_2_6E1F3ED3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ReadFile,ZwClose,ZwClose,	1_2_6E1F1ACC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_6E1F2DF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2C25 memset,ZwQueryInformationProcess,	1_2_6E1F2C25
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F755D NtQueryVirtualMemory,	1_2_6E1F755D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,	1_2_6E1F2E82
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_6E1F2DB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B602B2 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,	1_2_00B602B2
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059D1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,	8_2_0059D1CC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059724C NtQueryInformationProcess,	8_2_0059724C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	8_2_0059CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,	8_2_00598BF4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	8_2_00597540
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059DDCC NtMapViewOfSection,RtlNtStatusToDosError,	8_2_0059DDCC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00591688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,	8_2_00591688
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_00597EB8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00592830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,	8_2_00592830
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,	8_2_0059C994
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005972B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,	8_2_005972B8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00588DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,	8_2_00588DCC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,	8_2_00597DC0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_00597E6C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_00597F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	19_2_6E1F241D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2D19 ReadFile,NtQuerySystemInformation,RtlNtStatusToDosError,	19_2_6E1F2D19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F4904 NtMapViewOfSection,RtlNtStatusToDosError,	19_2_6E1F4904
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	19_2_6E1F2E32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	19_2_6E1F4943
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,ReadFile,ReadFile,	19_2_6E1F2492
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2D8F NtGetContextThread,NtGetContextThread,RtlNtStatusToDosError,	19_2_6E1F2D8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F3D87 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	19_2_6E1F3D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	19_2_6E1F2286
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2885 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	19_2_6E1F2885
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,	19_2_6E1F3ED3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ReadFile,ZwClose,ZwClose,	19_2_6E1F1ACC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	19_2_6E1F2DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2C25 memset,ZwQueryInformationProcess,	19_2_6E1F2C25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F755D NtQueryVirtualMemory,	19_2_6E1F755D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,	19_2_6E1F2E82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	19_2_6E1F2DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D02B2 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,	19_2_049D02B2
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006D1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,	31_2_0006D1CC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006724C NtQueryInformationProcess,	31_2_0006724C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	31_2_0006CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,	31_2_00068BF4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	31_2_00067540
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006DDCC NtMapViewOfSection,RtlNtStatusToDosError,	31_2_0006DDCC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00061688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,	31_2_00061688
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	31_2_00067EB8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00062830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,	31_2_00062830
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,	31_2_0006C994
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000672B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,	31_2_000672B8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,	31_2_00067DC0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00058DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,	31_2_00058DCC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	31_2_00067E6C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	31_2_00067F04

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0059D880 CreateProcessAsUserW,

8_2_0059D880

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F733C	1_2_6E1F733C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B602B2	1_2_00B602B2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B60988	1_2_00B60988
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B60BD2	1_2_00B60BD2
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059CB7C	8_2_0059CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005813E4	8_2_005813E4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059B590	8_2_0059B590
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00591688	8_2_00591688
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A2070	8_2_005A2070
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059006C	8_2_0059006C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059F018	8_2_0059F018
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00581000	8_2_00581000
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A4804	8_2_005A4804
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059A028	8_2_0059A028
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B18B0	8_2_005B18B0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005928A0	8_2_005928A0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00594968	8_2_00594968
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058B110	8_2_0058B110
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A39C8	8_2_005A39C8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A119C	8_2_005A119C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A51A4	8_2_005A51A4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A0254	8_2_005A0254
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058CA00	8_2_0058CA00
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598234	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00593ADC	8_2_00593ADC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059B2C4	8_2_0059B2C4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A0A8C	8_2_005A0A8C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00591358	8_2_00591358
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A2B44	8_2_005A2B44
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00586B0C	8_2_00586B0C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059AB28	8_2_0059AB28
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00590B28	8_2_00590B28
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005933AC	8_2_005933AC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058347C	8_2_0058347C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00589C68	8_2_00589C68
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A4C3C	8_2_005A4C3C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A6C28	8_2_005A6C28
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058F4EC	8_2_0058F4EC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B2550	8_2_005B2550
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005AAD78	8_2_005AAD78
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059C528	8_2_0059C528
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00585D9C	8_2_00585D9C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058EE54	8_2_0058EE54
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595668	8_2_00595668
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058CE08	8_2_0058CE08
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058FE3C	8_2_0058FE3C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058AE3C	8_2_0058AE3C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005846D0	8_2_005846D0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005976C4	8_2_005976C4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005ACEE0	8_2_005ACEE0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A1694	8_2_005A1694
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00594F78	8_2_00594F78
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A576C	8_2_005A576C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A4708	8_2_005A4708
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00583F38	8_2_00583F38
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00581FFC	8_2_00581FFC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00593FF4	8_2_00593FF4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005867A0	8_2_005867A0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058BFA4	8_2_0058BFA4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E3178	8_2_005E3178
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005C79B8	8_2_005C79B8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E2257	8_2_005E2257
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005DDCDE	8_2_005DDCDE
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005DE4C8	8_2_005DE4C8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005D6D52	8_2_005D6D52
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005DED88	8_2_005DED88
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E2623	8_2_005E2623
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8EC8	8_2_005E8EC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F733C	19_2_6E1F733C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D02B2	19_2_049D02B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D0988	19_2_049D0988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D0BD2	19_2_049D0BD2
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006CB7C	31_2_0006CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000513E4	31_2_000513E4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006B590	31_2_0006B590
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00061688	31_2_00061688
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00074804	31_2_00074804
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00051000	31_2_00051000
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006F018	31_2_0006F018
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006A028	31_2_0006A028
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006006C	31_2_0006006C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00072070	31_2_00072070
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000628A0	31_2_000628A0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000818B0	31_2_000818B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005B110	31_2_0005B110
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00064968	31_2_00064968
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007119C	31_2_0007119C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000751A4	31_2_000751A4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000739C8	31_2_000739C8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005CA00	31_2_0005CA00
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068234	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00070254	31_2_00070254
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00070A8C	31_2_00070A8C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006B2C4	31_2_0006B2C4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00063ADC	31_2_00063ADC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00056B0C	31_2_00056B0C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006AB28	31_2_0006AB28
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00060B28	31_2_00060B28
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00072B44	31_2_00072B44
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00061358	31_2_00061358
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000633AC	31_2_000633AC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00076C28	31_2_00076C28
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00074C3C	31_2_00074C3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00059C68	31_2_00059C68
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005347C	31_2_0005347C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005F4EC	31_2_0005F4EC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006C528	31_2_0006C528
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00082550	31_2_00082550
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007AD78	31_2_0007AD78
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00055D9C	31_2_00055D9C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005CE08	31_2_0005CE08
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005FE3C	31_2_0005FE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005AE3C	31_2_0005AE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005EE54	31_2_0005EE54
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065668	31_2_00065668
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00071694	31_2_00071694
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000676C4	31_2_000676C4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000546D0	31_2_000546D0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007CEE0	31_2_0007CEE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00074708	31_2_00074708
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00053F38	31_2_00053F38
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007576C	31_2_0007576C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00064F78	31_2_00064F78
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005BFA4	31_2_0005BFA4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000567A0	31_2_000567A0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00063FF4	31_2_00063FF4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00051FFC	31_2_00051FFC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B3178	31_2_000B3178
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000979B8	31_2_000979B8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B2257	31_2_000B2257
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000AE4C8	31_2_000AE4C8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000ADCDE	31_2_000ADCDE
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000A6D52	31_2_000A6D52
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000AED88	31_2_000AED88
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B2623	31_2_000B2623
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8EC8	31_2_000B8EC8

Sample file is different than original file name gathered from version info

Source: api-cdef.dll

Binary or memory string: OriginalFilenameblurted.exeL vs api-cdef.dll

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: sfc.dll

Yara signature match

Source: 8.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
Source: 31.2.svchost.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload

Source: api-cdef.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@23/136@32/4

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0058EB00 memset,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

8_2_0058EB00

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse

Jump to behavior

Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A3A75382-A668-CD67-C887-3A517CAB0E15}
Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{ABDA4905-0E30-15F8-700F-2219A4B3765D}
Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6324FA7B-663E-8DC2-8847-FA113C6BCED5}
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B79E0BBF-AAEC-01B4-6CDB-7EC5603F92C9}
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{AFFA7753-4268-B98A-C453-96FD38372A81}
Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9FA1F166-7282-29FF-7443-C66DE8275AF1}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9DBA1DFBDE180A82.TMP

Jump to behavior

Source: api-cdef.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer

Source: api-cdef.dll	Virustotal: Detection: 56%
Source: api-cdef.dll	ReversingLabs: Detection: 74%

Source: svchost.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: svchost.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\api-cdef.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\api-cdef.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6040 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\api-cdef.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6040 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.306531473.000000000EFC0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.273552925.0000000004CA0000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.414727933.0000000005480000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.462444951.0000000004BB0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.273552925.0000000004CA0000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.414727933.0000000005480000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.462444951.0000000004BB0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.306531473.000000000EFC0000.00000002.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F150F LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,

1_2_6E1F150F

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\api-cdef.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F732B push ecx; ret	1_2_6E1F733B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B7D8F3 push edi; ret	1_2_00B7D8FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B7ECF9 push esp; retf	1_2_00B7ED01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B7CE4F push ecx; iretd	1_2_00B7CE58
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005C6343 push ds; retf	8_2_005C6345
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005EBC8D push eax; retf	8_2_005EBD81
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8DF7 push eax; retf	8_2_005E8DF8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8DED pushfd ; retf	8_2_005E8DEE
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8E15 push esp; retf	8_2_005E8E16
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005D3E39 push ecx; mov dword ptr [esp], 00000002h	8_2_005D3E3A
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8EB7 push ecx; ret	8_2_005E8EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F732B push ecx; ret	19_2_6E1F733B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049EECF9 push esp; retf	19_2_049EED01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049ED8F3 push edi; ret	19_2_049ED8FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049ECE4F push ecx; iretd	19_2_049ECE58
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00096343 push ds; retf	31_2_00096345
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000BBC8D push eax; retf	31_2_000BBD81
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8DED pushfd ; retf	31_2_000B8DEE
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8DF7 push eax; retf	31_2_000B8DF8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8E15 push esp; retf	31_2_000B8E16
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000A3E39 push ecx; mov dword ptr [esp], 00000002h	31_2_000A3E3A
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8EB7 push ecx; ret	31_2_000B8EC7

Source: initial sample

Static PE information: section name: .text entropy: 6.81598106335

Boot Survival:

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Windows\SysWOW64\regsvr32.exe	Window found: window name: ProgMan	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window found: window name: ProgMan	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window found: window name: ProgMan

Source: C:\Windows\SysWOW64\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AppVilot			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AppVilot			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Stores large binary data to the registry

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6733C9B4-9A99-311C-DC8B-6EF5D0EF82F9 Temp

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: vbox qemu qemu vmware		1_2_6E1F1000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: vbox qemu qemu vmware		19_2_6E1F1000

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F52C0 rdtsc

1_2_6E1F52C0

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F1000 SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,ReadFile,SetupDiDestroyDeviceInfoList,

1_2_6E1F1000

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe TID: 1760	Thread sleep count: 168 > 30
Source: C:\Windows\System32\RuntimeBroker.exe TID: 6456	Thread sleep count: 172 > 30
Source: C:\Windows\System32\RuntimeBroker.exe TID: 6436	Thread sleep count: 182 > 30
Source: C:\Windows\System32\RuntimeBroker.exe TID: 380	Thread sleep count: 187 > 30
Source: C:\Windows\System32\svchost.exe TID: 2588	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_6E1F2FCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	1_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	8_2_005B18B0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	8_2_00595ABC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	8_2_00595668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	19_2_6E1F2FCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	19_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000818B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	31_2_000818B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	31_2_00065ABC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	31_2_00065668

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0058932C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,

8_2_0058932C

Source: svchost.exe, 00000008.00000002.325417847.000002D90367D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\system32\dnsapi.dll,-103@%SystemRoot%\system32\NgcRecovery.dll,-1000a
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: svchost.exe, 0000001F.00000002.436738708.000001F28A27B000.00000004.00000001.sdmp	Binary or memory string: nonic4Ethernet (Kernel Debugger)Hyper-V RAW
Source: regsvr32.exe, rundll32.exe	Binary or memory string: virtual hd
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000009.00000000.297989167.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe	Binary or memory string: vmware
Source: RuntimeBroker.exe, 0000001B.00000000.351463240.0000026BA063F000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000019.00000000.341214187.000001B06485B000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2-0
Source: RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWMSAFD Irda [IrDA]
Source: svchost.exe, 00000008.00000002.325394161.000002D903674000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.422644782.0000026BA06A7000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436701368.000001F28A276000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.291754769.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000009.00000000.291803249.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: rundll32.exe, 00000013.00000002.433601274.000000006E1F1000.00000040.00020000.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL.LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserWvboxqemurunascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""Low\vmwarevirtual hdc:\321.txt"%S" "%S"ProgManversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%sMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000008.00000002.325064412.000002D903613000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.456776535.0000026BA29F6000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.435947149.000001F28A213000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: RuntimeBroker.exe, 0000001B.00000003.456704820.0000026BA2881000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW:\x1
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F52C0 rdtsc

1_2_6E1F52C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F3D87 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,

1_2_6E1F3D87

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F150F LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,

1_2_6E1F150F

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 640000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: D870000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B0661E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27B353F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26BA2700000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC135C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 17765D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B066B70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27B36F80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26BA2FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write	Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute read	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute read	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 77E54690	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread created: C:\Windows\explorer.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread created: unknown EIP: 77E54690	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread created: unknown EIP: 736E1580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\svchost.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: EB	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 3388 base: 32C0000 value: 80	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 6760	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4652	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 5972	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 6040	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4652	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 5972	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 6040	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 5264	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 3388

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\svchost.exe base: 640000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: D870000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 32C0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B0661E0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27B353F0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26BA2700000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC135C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 17765D90000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B066B70000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27B36F80000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26BA2FC0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\svchost.exe base: 110000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F1DDB memset,CoInitializeEx,PathFindExtensionW,lstrcpyW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrcpyW,lstrlenW,lstrlenW,lstrlenW,wsprintfW,ReadFile,ShellExecuteExW,ReadFile,CoUninitialize,

1_2_6E1F1DDB

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe

Source: explorer.exe, 00000009.00000000.281738316.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, rundll32.exe	Binary or memory string: ProgMan
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: regsvr32.exe, 00000001.00000002.281094427.000000006E1F1000.00000040.00020000.sdmp, rundll32.exe, 00000013.00000002.433601274.000000006E1F1000.00000040.00020000.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL.LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserWvboxqemurunascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""Low\vmwarevirtual hdc:\321.txt"%S" "%S"ProgManversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%sMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_005D88BA cpuid

8_2_005D88BA

Queries device information via Setup API

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_6E1F1000

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\RuntimeBroker.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\RuntimeBroker.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_00591688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,

8_2_00591688

Source: C:\Windows\System32\svchost.exe

8_2_00591688

Source: C:\Windows\System32\svchost.exe

8_2_00591688

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F1A53 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6E1F1A53

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.85.0.29	unknown	Germany	20546	SOPRADO-ANYDE	false
87.248.118.23	unknown	United Kingdom	203220	YAHOO-DEBDE	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
contextual.media.net	92.122.146.68	true
tls13.taboola.map.fastly.net	151.101.1.44	true
www-php-net.ax4z.com	185.85.0.29	true
hblg.media.net	92.122.146.68	true
lg3.media.net	92.122.146.68	true
edge.gycpi.b.yahoodns.net	87.248.118.23	true
s.yimg.com	unknown	unknown
web.vortex.data.msn.com	unknown	unknown
www.msn.com	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
www.php.net	unknown	unknown
cvision.media.net	unknown	unknown
ardshinbank.at	unknown	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: api-cdef.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: api-cdef.dll	Virustotal: Detection: 56%			Perma Link
Source: api-cdef.dll	ReversingLabs: Detection: 74%

Machine Learning detection for sample

Source: api-cdef.dll

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_6E1F2FCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	1_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	8_2_005B18B0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	8_2_00595ABC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	8_2_00595668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	19_2_6E1F2FCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	19_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000818B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	31_2_000818B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	31_2_00065ABC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	31_2_00065668

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0058932C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,

8_2_0058932C

Networking:

Found Tor onion address

Source: svchost.exe, 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
Source: svchost.exe, 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.248.118.23 87.248.118.23
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
Source: global traffic	HTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365.net/hp-neu/sc/9b/e151e5.gif" /> <span>BUNTE.de</span> equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000009.00000000.307892520.000000000F6C0000.00000004.00000001.sdmp	String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3652 equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81fbef9f,0x01d6c3be</date><accdate>0x81fbef9f,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81fbef9f,0x01d6c3be</date><accdate>0x81fbef9f,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x81fe51f2,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x81fe51f2,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x81fe51f2,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81fe51f2,0x01d6c3be</date><accdate>0x8200b452,0x01d6c3be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, equals www.hotmail.com (Hotmail)
Source: iexplore.exe, 00000004.00000003.395712317.0000000012A10000.00000004.00000001.sdmp	String found in binary or memory: lobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0isIABGlobal=false&datestamp=Wed+Nov+25+2020+22:36:17+GMT-0800+(Pacific+Standard+Time)&version=6.7.0&hosts=&consentId=61c06930-d67d-4f22-98c8-c12962fc125e&interactionCount=0&landingPath=https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1,C0002:0,C0003:0,C0004:0,STACK42:0hweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3654 equals www.hotmail.com (Hotmail)
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444461031.0000027B354BE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444461031.0000027B354BE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0L
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000003.433509351.000000000F57C000.00000004.00000040.sdmp, svchost.exe	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: svchost.exe, 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: iexplore.exe, 00000004.00000003.345458220.0000000012758000.00000004.00000001.sdmp	String found in binary or memory: http://contextual.media.net/r.php?Die
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000009.00000000.308028737.000000000F782000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigW
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439432155.0000026BA2173000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
Source: iexplore.exe, 00000004.00000003.308704033.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiDDz
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: svchost.exe, 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439432155.0000026BA2173000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0E
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0F
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0G
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 00000004.00000003.300028385.000000000984D000.00000004.00000001.sdmp	String found in binary or memory: http://popup.ta
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/ge(k
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanI
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanQ
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanR
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germaniehp0
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanl
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: http://popup.taboola.com/germanq
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 00000004.00000003.291535405.00000000109BC000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.341811091.0000000009C03000.00000004.00000001.sdmp	String found in binary or memory: http://searchads.msn.net/Aktuelle_Hypothekenzinsen.cfm?&lgplp=jf75EJ%3AQJ778zy&ktr=1&&vi=16063401756
Source: iexplore.exe, 00000004.00000003.342378419.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp	String found in binary or memory: http://searchads.msn.net/Testsieger_Matratzen_der_Stiftung_Warentest.cfm?&lgplp=jf75EJ%3AQJ778zy&ktr
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoo
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444461031.0000027B354BE000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000009.00000000.304953208.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/F
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325254146.000002D90362E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439568562.0000026BA21CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/license/3_0.txt
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/license/3_0.txtT
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: http://www.php.net/license/3_0.txte
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: http://www.zend.com
Source: explorer.exe, 00000009.00000000.300661298.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000009.00000000.305196309.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: iexplore.exe, 00000004.00000003.299337875.0000000009B6E000.00000004.00000001.sdmp	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendatioL
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.323867161.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.319078932.000000001082E000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.342440582.0000000010831000.00000004.00000001.sdmp	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&app.ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299337875.0000000009B6E000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.342440582.0000000010831000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=ZSoKBJAGIS9znv53GGqtBHT.e7RqhcLi9oPkKos96o16hbBa
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=ZSoKBJAGIS9znv53GGqtBHT.e7RqhcLi9oPkKos96o16hbBa70bC
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cookielaw.org/logos/static/poweredBy_ot_logo.svg
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cookielaw.org/logos/static/poweredBy_ot_logo.svgt
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cookielaw.org/logos/static/poweredBy_ot_logo.svgy
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656AAA
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: iexplore.exe, 00000004.00000003.329328948.0000000009C69000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net&https=1&act=headerBid&prvReqId=225808175442171731606372576076&erTr=0&hl
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291426480.0000000009481000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net&https=1&act=headerBid&prvReqId=486542288040879901606372575645&erTr=0&hl
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js$
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js=8CU157172&crid=858412214&size=306x271&https=14#
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.js=8CU157172&crid=858412214&size=306x271&https=1h
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsCe
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsW
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsrq
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/48/nrrV97497.jsuf
Source: iexplore.exe, 00000004.00000003.306912934.000000001275A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291535405.00000000109BC000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1#
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=159
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=15CYII=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=18%
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1?v=99-862
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1E)
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1G
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1M;
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1N%v
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1S#
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1e8t
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1u%_
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1u;D
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1#
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1%;4
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1&https=1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1.y
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=18
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Y
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1annerSdk.
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1e
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1g
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1m9
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1~ve
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/n
Source: iexplore.exe, 00000004.00000003.297693605.00000000095DE000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329328948.0000000009C69000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291426480.0000000009481000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/rtbsmpubs.php?&gdpr=0&gdprconsent=1&usp_enf=1&usp_status=0&cid=8HBI57XI
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.netO
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9Hxw
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9lTys
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9ryY
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/104/159/164/b93e9132-e670-4998-95ce-f937ea9eeb4b.jpg?v=9vx
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.309550355.000000000667D000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9&
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9dvC
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9h
Source: iexplore.exe, 00000004.00000003.345433404.0000000012751000.00000004.00000001.sdmp	String found in binary or memory: https://dap.media.nethttps://lg3.media.nethttps://www.mnetads.net
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelredateWed
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.net/
Source: iexplore.exe, 00000004.00000003.290829943.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.net/log?logid=aplog&pid=8PR68Q253&itype=HB-CM&dn=msn.com&cid=8HBI57XIG&svr=202011
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291559132.00000000109E8000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA3DGHW?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJwziK?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAK6w2d?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=j
Source: iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAkqhIf?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAuTnto?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzb5EX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14EN7h?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB15AQNm?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.291559132.00000000109E8000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUsw7?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ardZ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: iexplore.exe, 00000004.00000003.321698798.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkDP8?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkQKt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blQnh?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blSc1?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blTcc?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blpIM?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bm6pW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bm7i2?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmBxA?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359371690.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmbBn?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.291559132.00000000109E8000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmfFl?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.299265286.0000000009B44000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmgfo?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmiEZ?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmkAU?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmlu4?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmmKP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329921220.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmmvx?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmuG6?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmuij?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329921220.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmzoc?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB4j8lS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngc
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBF08Nm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBK9Ri5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBXXVfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: iexplore.exe, 00000004.00000003.321288179.0000000010891000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-t
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-taboola
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-taboola.com/
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://img.img-taboola.com/taboola/image/f
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=XFGp_OAGIS_bOjWI2BdDTEP.5YECYBL48vY1q.SjUbez
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: iexplore.exe, 00000004.00000003.341811091.0000000009C03000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.297693605.00000000095DE000.00000004.00000001.sdmp	String found in binary or memory: https://iurl-a.akamaihd.net/ybntag?
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/=
Source: iexplore.exe, 00000004.00000003.292027102.0000000009B5C000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/bqi.php?lf=5&&vgd_l2type=setting&pid=8PO8WH2OT&cme=iqXtbLqMsM7HN9t08hPKXQYgdks
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1606340173&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1606340173&rver=7.0.6730.0&am
Source: iexplore.exe, 00000004.00000003.290667593.00000000062C5000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1606340173&rver=7.0.6730.0&wp=LBI&wreply=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1606340174&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1606340173&rver=7.0.6730.0&w
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: iexplore.exe, 00000004.00000003.290667593.00000000062C5000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://objectivepartners.com/cookie-policy-and-privacy-
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_headerE;H
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://onetrust.com/poweredbyonetrusty
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: https://opensource.org/licenses/PHP-3.0
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/h).
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&referrer=utm_
Source: iexplore.exe, 00000004.00000003.307928157.00000000062B2000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iexplore.exe, 00000004.00000003.329889814.00000000093DA000.00000004.00000001.sdmp	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html5
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.htmlt-pc-Q
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.htmlx-heig
Source: iexplore.exe, 00000004.00000003.318372854.0000000009D08000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: iexplore.exe, 00000004.00000003.308704033.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xmlY
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xmlcom
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291535405.00000000109BC000.00000004.00000001.sdmp, {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp	String found in binary or memory: https://s.yie
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/
Source: iexplore.exe, 00000004.00000003.297146635.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/T
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330636961.0000000010860000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/av/ads/1605088252233-7172.jpg
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/av/ads/1605088252233-7172.jpg0
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/av/ads/1605088252233-7172.jpgeckoe
Source: iexplore.exe, 00000004.00000003.292027102.0000000009B5C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299337875.0000000009B6E000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/oAeAE7g.4uDJvxEGd4fmcw--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/oAeAE7g.4uDJvxy(VL
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://srtb.msn.com/
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=2bb92a0fe5d3485b9240c75ea7f76d67&c=MSN&d=https%3A%2F%2Fwww.ms
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://srtb.msn.com/f
Source: iexplore.exe, 00000004.00000003.292172407.000000000945A000.00000004.00000001.sdmp, auction[1].htm.4.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=2bb92a0fe5d3485b9240c75ea7f76d67&r=infopane&i=2&
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net//
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/044-a445-435b-bc74-9c25c1c588a9
Source: iexplore.exe, 00000004.00000003.290829943.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/11e4956/webcore/externalscripts/oneTrustV2/scripttempl
Source: iexplore.exe, 00000004.00000003.340781361.00000000094A9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/98
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/Accept-Language:
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/J
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/_
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/ernalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290674521.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-4ce2ee7a/direct
Source: iexplore.exe, 00000004.00000003.308156586.00000000094F2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-a9cf7dee/directi
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png(d
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png;d
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.pngv
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, imagestore.dat.4.dr, ~DFD4EED12F40708B65.TMP.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icomuK
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/3b/f194d7.ttf
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gifre/externalscripts/jquery/jquer
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpgre/externalscripts/jquery/jquer
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.pngBdc
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.pngTeu
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.pngipttemplates/otSDKStub.js
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woffC:
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woffq
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3DGHW.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.359081341.00000000096BB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358977818.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330196973.0000000009462000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwziK.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.357949097.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAK6w2d.img?h=250&w=20
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAkqhIf.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzb5EX.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.344476323.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.309680968.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: iexplore.exe, 00000004.00000003.298137448.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.342378419.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.359259929.00000000096F4000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.343961731.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=6
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15NLgx.img?h=166&amp
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15NLgx.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292027102.0000000009B5C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aUsw7.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&
Source: iexplore.exe, 00000004.00000003.319909564.00000000094AE000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bkDP8.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bkQKt.img?h=368&w=6
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bkSQQ.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blQeY.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blQnh.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blSc1.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.291674064.00000000107C4000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blTcc.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blVmS.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.330816680.00000000108FF000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1blpIM.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bm3PZ.img?h=250&w=3
Source: iexplore.exe, 00000004.00000003.308753962.00000000107C4000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bm6pW.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.319909564.00000000094AE000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bm7i2.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmBxA.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmBxD.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.358977818.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358574338.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmbBn.img?h=250&w=2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmdIp.img?h=333&amp
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmdIp.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308753962.00000000107C4000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmf1B.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmfFl.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308753962.00000000107C4000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmgfo.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299374866.0000000009B82000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiEZ.img?h=250&w=2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiuF.img?h=166&amp
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiuF.img?h=166&w=3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmiyP.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.308428822.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmkAU.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmlu4.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmmKP.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.341444269.00000000096B9000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.329419815.00000000107C6000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmmvx.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmpXV.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmtMh.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmuG6.img?h=333&w=3
Source: iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmuij.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmusM.img?h=250&w=3
Source: iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmuw8.img?h=75&w=10
Source: iexplore.exe, 00000004.00000003.358501091.00000000094AB000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.342440582.0000000010831000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.340781361.00000000094A9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bmzoc.img?h=250&w=2
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB4j8lS.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.291200541.00000000096B9000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
Source: iexplore.exe, 00000004.00000003.307898178.0000000010B47000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.344476323.000000000673C000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.309680968.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBF08Nm.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308156586.00000000094F2000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Ri5.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBXXVfm.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.340578093.0000000010B47000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&
Source: iexplore.exe, 00000004.00000003.290829943.0000000009462000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/msn-com.akamaized.net/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://tcf.cookiepedia.co.uk?lang=de
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://tcf.cookiepedia.co.uk?lang=deo
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/l)
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/n._
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/I
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iexplore.exe, 00000004.00000003.290083126.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.357949097.00000000093C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.358017863.00000000093DA000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.341885358.0000000010740000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.318982814.0000000009757000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?ver=
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: iexplore.exe, 00000004.00000003.330416685.000000000668D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripeng
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-elec
Source: iexplore.exe, 00000004.00000003.309550355.000000000667D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-electro
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-gross
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-trends
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.converto.com/datenschutz-privacy-policy
Source: iexplore.exe, 00000004.00000003.325922450.000000000675B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325427344.000002D903688000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.439432155.0000026BA2173000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436764873.000001F28A285000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.298626209.000000000973E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: iexplore.exe, 00000004.00000003.330311586.0000000009759000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.mintegral.com/en/privacy/
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFl
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
Source: iexplore.exe, 00000004.00000003.308156586.00000000094F2000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.jsl=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {ABD864DA-2FB1-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: iexplore.exe, 00000004.00000003.290374155.000000000943C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp%
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp%2
Source: iexplore.exe, 00000004.00000003.341249351.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: iexplore.exe, 00000004.00000003.395712317.0000000012A10000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&groups=C0001:1
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsbundleper
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp(
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp)uD
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp-
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp.
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp0
Source: iexplore.exe, 00000004.00000003.297006363.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp3
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp4
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp8
Source: iexplore.exe, 00000004.00000003.330593455.0000000009BFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp9
Source: iexplore.exe, 00000004.00000003.358051438.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp:
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp?
Source: iexplore.exe, 00000004.00000003.290374155.000000000943C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpB
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpC
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpE
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.322292708.00000000096C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpJ
Source: iexplore.exe, 00000004.00000003.289829979.00000000093C0000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.307892520.000000000F6C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMini-H
Source: iexplore.exe, 00000004.00000003.290374155.000000000943C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpR
Source: iexplore.exe, 00000004.00000003.308024851.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpU
Source: iexplore.exe, 00000004.00000003.396893937.00000000126E5000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.396920386.00000000126E6000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpY_f7c7e663-889f-40e7-abde-fe175c30742eY_f7c7e663-889f-40e7-abde-
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpZ
Source: iexplore.exe, 00000004.00000003.330593455.0000000009BFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp_Nk
Source: iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpaccept-languageen-USaccept-encodinggzip
Source: iexplore.exe, 00000004.00000003.291600131.000000001073F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpaccept-languageen-USuser-agentMozilla/5.0
Source: iexplore.exe, 00000004.00000003.330816680.00000000108FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpay
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpc
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpe
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpe(
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpfW
Source: iexplore.exe, 00000004.00000003.330095765.000000001077A000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpg
Source: iexplore.exe, 00000004.00000003.330593455.0000000009BFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphcLa
Source: iexplore.exe, 00000004.00000003.345309349.00000000126D5000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.396893937.00000000126E5000.00000004.00000001.sdmp, iexplore.exe, 00000004.00000003.396920386.00000000126E6000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphttps://www.msn.com/de-ch/?ocid=iehpY_f7c7e663-889f-40e7-abde-fe
Source: iexplore.exe, 00000004.00000003.291898968.0000000010819000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpie-#
Source: iexplore.exe, 00000004.00000003.343436234.000000000940F000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpikD
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpk
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpnin
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpo
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpp
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpp4
Source: iexplore.exe, 00000004.00000003.308792223.000000001080A000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehppe
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehppt
Source: iexplore.exe, 00000004.00000003.330434948.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpst
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehptst
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehptt)
Source: iexplore.exe, 00000004.00000003.321857710.00000000094B8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpv
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpw
Source: iexplore.exe, 00000004.00000003.309363854.00000000108FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpx
Source: iexplore.exe, 00000004.00000003.309363854.00000000108FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpzy
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/autos/nachrichten/wie-umweltschonend-ist-campingurlaub-studie-zur-klimabil
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/lifestyle/horoskope/fische-kostenlose-tageshoroskop/ar-AAyAPSK
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisenC9
Source: iexplore.exe, 00000004.00000003.297742189.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/other/toter-h%c3%a4ftling-war-verurteilt-wegen-t%c3%b6tung-in-
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/achteinhalb-jahre-freiheitsstrafe-f%c3%bcr-53-j%c3%a4hrige-frau
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/als-daniel-bumann-kommt-flieht-der-bacco-wirt/ar-BB1bjWhc?ocid=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/arzt-untersucht-patientin-wegen-husten-vaginal-und-anal/ar-BB1b
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-pr%c3%a4sident-der-katholischen-synode-des-kantons-z%c3%bcr
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-ring-war-wohl-nicht-lange-am-finger-der-besitzerin/ar-BB1bl
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-stadt-z%c3%bcrich-wird-ihre-akw-anteile-nicht-los/ar-BB1bm4
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ein-grosser-schritt-f%c3%bcr-schwamendingen-der-z%c3%bcrcher-ge
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/primarsch%c3%bclerin-jahrelang-von-freund-der-familie-missbrauc
Source: iexplore.exe, 00000004.00000003.299833651.000000000673C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/vagina-untersuch-war-klar-sexuell-motivierte-handlung/ar-BB1blP
Source: iexplore.exe, 00000004.00000003.309535730.000000000666D000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/weshalb-eine-harmlose-homestory-%c3%bcber-eine-pferdehalterin-a
Source: iexplore.exe, 00000004.00000003.321965773.0000000009529000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/t
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/j
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: iexplore.exe, 00000004.00000003.290667593.00000000062C5000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4.
Source: iexplore.exe, 00000004.00000003.290892363.00000000094D3000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.comdia.net
Source: iexplore.exe, 00000004.00000003.308533033.0000000009715000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.comt
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iexplore.exe, 00000004.00000003.299591707.0000000006643000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iexplore.exe, 00000004.00000003.299591707.0000000006643000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msnv
Source: svchost.exe, 00000008.00000002.325064412.000002D903613000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.435947149.000001F28A213000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/F
Source: svchost.exe, 0000001F.00000002.436701368.000001F28A276000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436511249.000001F28A263000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txt
Source: svchost.exe, 00000008.00000002.325064412.000002D903613000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.435947149.000001F28A213000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txt/dll
Source: svchost.exe, 00000008.00000002.325394161.000002D903674000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436701368.000001F28A276000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txtLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExpir
Source: RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txtP
Source: RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txturii
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_0.txtw
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: https://www.php.net/license/3_01.txt
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.protected.media/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: iexplore.exe, 00000004.00000003.290584857.000000000628C000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: iexplore.exe, 00000004.00000003.307978998.000000000630B000.00000004.00000001.sdmp	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_de&utm_co
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm_content=sho
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: iexplore.exe, 00000004.00000003.322170702.00000000095F8000.00000004.00000001.sdmp, 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: iexplore.exe, 00000004.00000003.307949725.00000000062D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.skype.com/t
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=undefine
Source: iexplore.exe, 00000004.00000003.292396708.0000000006692000.00000004.00000001.sdmp, de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iexplore.exe, 00000004.00000003.292070502.0000000009B93000.00000004.00000001.sdmp	String found in binary or memory: https://www.united-internet-media.de/de/datenschutzhinweis/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls	1_2_6E1F2FCE
Source: C:\Windows\System32\svchost.exe	Code function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff	8_2_00581FFC
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie	8_2_00581FFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls	19_2_6E1F2FCE
Source: C:\Windows\System32\svchost.exe	Code function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff	31_2_00051FFC
Source: C:\Windows\System32\svchost.exe	Code function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie	31_2_00051FFC

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Source: 8.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif Payload Author: kevoreilly & enzo
Source: 31.2.svchost.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif Payload Author: kevoreilly & enzo

Found PHP interpreter

Source: iexplore.exe, 00000003.00000003.445502720.00000244A0C92000.00000004.00000040.sdmp	String found in binary or memory: ited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: iexplore.exe, 00000003.00000003.368839717.00000244A06D1000.00000004.00000040.sdmp	String found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: iexplore.exe, 00000004.00000003.292033416.0000000009B68000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: svchost.exe, 00000008.00000002.325323817.000002D903650000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: explorer.exe, 00000009.00000003.433725046.000000000F283000.00000004.00000040.sdmp	String found in binary or memory: ding but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: explorer.exe, 00000009.00000003.433703656.000000000F281000.00000004.00000040.sdmp	String found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 00000016.00000003.438905962.000001FC1312F000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 00000017.00000003.440518691.00000177642D4000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 00000019.00000003.456496925.000001B066F16000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 0000001A.00000003.444512684.0000027B3547E000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: RuntimeBroker.exe, 0000001B.00000003.365969300.0000026BA219C000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,
Source: RuntimeBroker.exe, 0000001B.00000003.453940593.0000026BA2194000.00000004.00000001.sdmp	String found in binary or memory: s on behalf of the PHP Group.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: published by the PHP Group. No one other than the PHP Group has
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: individuals on behalf of the PHP Group.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
Source: svchost.exe, 0000001F.00000002.436301314.000001F28A240000.00000004.00000001.sdmp	String found in binary or memory: For more information on the PHP Group and the PHP project,

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_6E1F241D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2D19 ReadFile,NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_6E1F2D19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F4904 NtMapViewOfSection,RtlNtStatusToDosError,	1_2_6E1F4904
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_6E1F2E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	1_2_6E1F4943
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,ReadFile,ReadFile,	1_2_6E1F2492
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2D8F NtGetContextThread,NtGetContextThread,RtlNtStatusToDosError,	1_2_6E1F2D8F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F3D87 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	1_2_6E1F3D87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_6E1F2286
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2885 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_6E1F2885
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,	1_2_6E1F3ED3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ReadFile,ZwClose,ZwClose,	1_2_6E1F1ACC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_6E1F2DF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2C25 memset,ZwQueryInformationProcess,	1_2_6E1F2C25
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F755D NtQueryVirtualMemory,	1_2_6E1F755D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,	1_2_6E1F2E82
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_6E1F2DB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B602B2 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,	1_2_00B602B2
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059D1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,	8_2_0059D1CC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059724C NtQueryInformationProcess,	8_2_0059724C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	8_2_0059CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,	8_2_00598BF4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	8_2_00597540
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059DDCC NtMapViewOfSection,RtlNtStatusToDosError,	8_2_0059DDCC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00591688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,	8_2_00591688
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_00597EB8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00592830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,	8_2_00592830
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,	8_2_0059C994
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005972B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,	8_2_005972B8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00588DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,	8_2_00588DCC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,	8_2_00597DC0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_00597E6C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00597F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_00597F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	19_2_6E1F241D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2D19 ReadFile,NtQuerySystemInformation,RtlNtStatusToDosError,	19_2_6E1F2D19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F4904 NtMapViewOfSection,RtlNtStatusToDosError,	19_2_6E1F4904
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	19_2_6E1F2E32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	19_2_6E1F4943
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,ReadFile,ReadFile,	19_2_6E1F2492
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2D8F NtGetContextThread,NtGetContextThread,RtlNtStatusToDosError,	19_2_6E1F2D8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F3D87 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	19_2_6E1F3D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	19_2_6E1F2286
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2885 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	19_2_6E1F2885
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,	19_2_6E1F3ED3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ReadFile,ZwClose,ZwClose,	19_2_6E1F1ACC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	19_2_6E1F2DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2C25 memset,ZwQueryInformationProcess,	19_2_6E1F2C25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F755D NtQueryVirtualMemory,	19_2_6E1F755D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,	19_2_6E1F2E82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	19_2_6E1F2DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D02B2 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,	19_2_049D02B2
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006D1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,	31_2_0006D1CC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006724C NtQueryInformationProcess,	31_2_0006724C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	31_2_0006CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,	31_2_00068BF4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	31_2_00067540
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006DDCC NtMapViewOfSection,RtlNtStatusToDosError,	31_2_0006DDCC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00061688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,	31_2_00061688
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	31_2_00067EB8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00062830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,	31_2_00062830
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,	31_2_0006C994
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000672B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,	31_2_000672B8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,	31_2_00067DC0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00058DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,	31_2_00058DCC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	31_2_00067E6C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00067F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	31_2_00067F04

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0059D880 CreateProcessAsUserW,

8_2_0059D880

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F733C	1_2_6E1F733C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B602B2	1_2_00B602B2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B60988	1_2_00B60988
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B60BD2	1_2_00B60BD2
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059CB7C	8_2_0059CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005813E4	8_2_005813E4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059B590	8_2_0059B590
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00591688	8_2_00591688
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A2070	8_2_005A2070
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059006C	8_2_0059006C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059F018	8_2_0059F018
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00581000	8_2_00581000
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A4804	8_2_005A4804
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059A028	8_2_0059A028
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B18B0	8_2_005B18B0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005928A0	8_2_005928A0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00594968	8_2_00594968
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058B110	8_2_0058B110
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A39C8	8_2_005A39C8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A119C	8_2_005A119C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A51A4	8_2_005A51A4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A0254	8_2_005A0254
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058CA00	8_2_0058CA00
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598234	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00593ADC	8_2_00593ADC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059B2C4	8_2_0059B2C4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A0A8C	8_2_005A0A8C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00591358	8_2_00591358
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A2B44	8_2_005A2B44
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00586B0C	8_2_00586B0C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059AB28	8_2_0059AB28
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00590B28	8_2_00590B28
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005933AC	8_2_005933AC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058347C	8_2_0058347C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00589C68	8_2_00589C68
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A4C3C	8_2_005A4C3C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A6C28	8_2_005A6C28
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058F4EC	8_2_0058F4EC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B2550	8_2_005B2550
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005AAD78	8_2_005AAD78
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0059C528	8_2_0059C528
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00585D9C	8_2_00585D9C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058EE54	8_2_0058EE54
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595668	8_2_00595668
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058CE08	8_2_0058CE08
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058FE3C	8_2_0058FE3C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058AE3C	8_2_0058AE3C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005846D0	8_2_005846D0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005976C4	8_2_005976C4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005ACEE0	8_2_005ACEE0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A1694	8_2_005A1694
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00594F78	8_2_00594F78
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A576C	8_2_005A576C
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005A4708	8_2_005A4708
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00583F38	8_2_00583F38
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00581FFC	8_2_00581FFC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00593FF4	8_2_00593FF4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005867A0	8_2_005867A0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0058BFA4	8_2_0058BFA4
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E3178	8_2_005E3178
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005C79B8	8_2_005C79B8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E2257	8_2_005E2257
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005DDCDE	8_2_005DDCDE
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005DE4C8	8_2_005DE4C8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005D6D52	8_2_005D6D52
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005DED88	8_2_005DED88
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E2623	8_2_005E2623
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8EC8	8_2_005E8EC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F733C	19_2_6E1F733C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D02B2	19_2_049D02B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D0988	19_2_049D0988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049D0BD2	19_2_049D0BD2
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006CB7C	31_2_0006CB7C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000513E4	31_2_000513E4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006B590	31_2_0006B590
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00061688	31_2_00061688
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00074804	31_2_00074804
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00051000	31_2_00051000
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006F018	31_2_0006F018
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006A028	31_2_0006A028
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006006C	31_2_0006006C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00072070	31_2_00072070
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000628A0	31_2_000628A0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000818B0	31_2_000818B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005B110	31_2_0005B110
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00064968	31_2_00064968
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007119C	31_2_0007119C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000751A4	31_2_000751A4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000739C8	31_2_000739C8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005CA00	31_2_0005CA00
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068234	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00070254	31_2_00070254
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00070A8C	31_2_00070A8C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006B2C4	31_2_0006B2C4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00063ADC	31_2_00063ADC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00056B0C	31_2_00056B0C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006AB28	31_2_0006AB28
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00060B28	31_2_00060B28
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00072B44	31_2_00072B44
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00061358	31_2_00061358
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000633AC	31_2_000633AC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00076C28	31_2_00076C28
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00074C3C	31_2_00074C3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00059C68	31_2_00059C68
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005347C	31_2_0005347C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005F4EC	31_2_0005F4EC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0006C528	31_2_0006C528
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00082550	31_2_00082550
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007AD78	31_2_0007AD78
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00055D9C	31_2_00055D9C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005CE08	31_2_0005CE08
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005FE3C	31_2_0005FE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005AE3C	31_2_0005AE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005EE54	31_2_0005EE54
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065668	31_2_00065668
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00071694	31_2_00071694
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000676C4	31_2_000676C4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000546D0	31_2_000546D0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007CEE0	31_2_0007CEE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00074708	31_2_00074708
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00053F38	31_2_00053F38
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0007576C	31_2_0007576C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00064F78	31_2_00064F78
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0005BFA4	31_2_0005BFA4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000567A0	31_2_000567A0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00063FF4	31_2_00063FF4
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00051FFC	31_2_00051FFC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B3178	31_2_000B3178
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000979B8	31_2_000979B8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B2257	31_2_000B2257
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000AE4C8	31_2_000AE4C8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000ADCDE	31_2_000ADCDE
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000A6D52	31_2_000A6D52
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000AED88	31_2_000AED88
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B2623	31_2_000B2623
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8EC8	31_2_000B8EC8

Sample file is different than original file name gathered from version info

Source: api-cdef.dll

Binary or memory string: OriginalFilenameblurted.exeL vs api-cdef.dll

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: sfc.dll

Yara signature match

Source: 8.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
Source: 31.2.svchost.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload

Source: api-cdef.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@23/136@32/4

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0058EB00 memset,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

8_2_0058EB00

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse

Jump to behavior

Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A3A75382-A668-CD67-C887-3A517CAB0E15}
Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{ABDA4905-0E30-15F8-700F-2219A4B3765D}
Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6324FA7B-663E-8DC2-8847-FA113C6BCED5}
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B79E0BBF-AAEC-01B4-6CDB-7EC5603F92C9}
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{AFFA7753-4268-B98A-C453-96FD38372A81}
Source: C:\Windows\System32\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9FA1F166-7282-29FF-7443-C66DE8275AF1}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9DBA1DFBDE180A82.TMP

Jump to behavior

Source: api-cdef.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer

Source: api-cdef.dll	Virustotal: Detection: 56%
Source: api-cdef.dll	ReversingLabs: Detection: 74%

Source: svchost.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: svchost.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\api-cdef.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\api-cdef.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6040 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\api-cdef.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6040 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.306531473.000000000EFC0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.273552925.0000000004CA0000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.414727933.0000000005480000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.462444951.0000000004BB0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.273552925.0000000004CA0000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.414727933.0000000005480000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.462444951.0000000004BB0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.306531473.000000000EFC0000.00000002.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F150F LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,

1_2_6E1F150F

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\api-cdef.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F732B push ecx; ret	1_2_6E1F733B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B7D8F3 push edi; ret	1_2_00B7D8FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B7ECF9 push esp; retf	1_2_00B7ED01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B7CE4F push ecx; iretd	1_2_00B7CE58
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005C6343 push ds; retf	8_2_005C6345
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005EBC8D push eax; retf	8_2_005EBD81
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8DF7 push eax; retf	8_2_005E8DF8
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8DED pushfd ; retf	8_2_005E8DEE
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8E15 push esp; retf	8_2_005E8E16
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005D3E39 push ecx; mov dword ptr [esp], 00000002h	8_2_005D3E3A
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005E8EB7 push ecx; ret	8_2_005E8EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F732B push ecx; ret	19_2_6E1F733B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049EECF9 push esp; retf	19_2_049EED01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049ED8F3 push edi; ret	19_2_049ED8FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_049ECE4F push ecx; iretd	19_2_049ECE58
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00096343 push ds; retf	31_2_00096345
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000BBC8D push eax; retf	31_2_000BBD81
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8DED pushfd ; retf	31_2_000B8DEE
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8DF7 push eax; retf	31_2_000B8DF8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8E15 push esp; retf	31_2_000B8E16
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000A3E39 push ecx; mov dword ptr [esp], 00000002h	31_2_000A3E3A
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000B8EB7 push ecx; ret	31_2_000B8EC7

Source: initial sample

Static PE information: section name: .text entropy: 6.81598106335

Boot Survival:

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Windows\SysWOW64\regsvr32.exe	Window found: window name: ProgMan	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window found: window name: ProgMan	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window found: window name: ProgMan

Source: C:\Windows\SysWOW64\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AppVilot			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AppVilot			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Stores large binary data to the registry

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6733C9B4-9A99-311C-DC8B-6EF5D0EF82F9 Temp

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: vbox qemu qemu vmware		1_2_6E1F1000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: vbox qemu qemu vmware		19_2_6E1F1000

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F52C0 rdtsc

1_2_6E1F52C0

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_6E1F1000

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe TID: 1760	Thread sleep count: 168 > 30
Source: C:\Windows\System32\RuntimeBroker.exe TID: 6456	Thread sleep count: 172 > 30
Source: C:\Windows\System32\RuntimeBroker.exe TID: 6436	Thread sleep count: 182 > 30
Source: C:\Windows\System32\RuntimeBroker.exe TID: 380	Thread sleep count: 187 > 30
Source: C:\Windows\System32\svchost.exe TID: 2588	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_6E1F2FCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	1_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_005B18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	8_2_005B18B0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00598234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	8_2_00598234
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	8_2_00595ABC
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00595668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	8_2_00595668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	19_2_6E1F2FCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_6E1F5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,	19_2_6E1F5E30
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000818B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,	31_2_000818B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00068234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,	31_2_00068234
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,	31_2_00065ABC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_00065668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,	31_2_00065668

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_0058932C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,

8_2_0058932C

Source: svchost.exe, 00000008.00000002.325417847.000002D90367D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\system32\dnsapi.dll,-103@%SystemRoot%\system32\NgcRecovery.dll,-1000a
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: svchost.exe, 0000001F.00000002.436738708.000001F28A27B000.00000004.00000001.sdmp	Binary or memory string: nonic4Ethernet (Kernel Debugger)Hyper-V RAW
Source: regsvr32.exe, rundll32.exe	Binary or memory string: virtual hd
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000009.00000000.297989167.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe	Binary or memory string: vmware
Source: RuntimeBroker.exe, 0000001B.00000000.351463240.0000026BA063F000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000019.00000000.341214187.000001B06485B000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2-0
Source: RuntimeBroker.exe, 00000019.00000003.442116260.000001B0648AA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWMSAFD Irda [IrDA]
Source: svchost.exe, 00000008.00000002.325394161.000002D903674000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.422644782.0000026BA06A7000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.436701368.000001F28A276000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.291754769.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000009.00000000.298659445.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000009.00000000.291803249.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: rundll32.exe, 00000013.00000002.433601274.000000006E1F1000.00000040.00020000.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL.LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserWvboxqemurunascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""Low\vmwarevirtual hdc:\321.txt"%S" "%S"ProgManversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%sMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000008.00000002.325064412.000002D903613000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000003.456776535.0000026BA29F6000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.435947149.000001F28A213000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: RuntimeBroker.exe, 0000001B.00000003.456704820.0000026BA2881000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW:\x1
Source: explorer.exe, 00000009.00000000.296920849.0000000008220000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.355714509.0000026BA2C00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F52C0 rdtsc

1_2_6E1F52C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F3D87 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,

1_2_6E1F3D87

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F150F LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,

1_2_6E1F150F

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 640000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: D870000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B0661E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27B353F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26BA2700000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC135C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 17765D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B066B70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27B36F80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26BA2FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write	Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute read	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory protected: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute read	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory protected: unknown base: 77E54690 protect: page execute read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 77E54690	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread created: C:\Windows\explorer.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread created: unknown EIP: 77E54690	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread created: unknown EIP: 736E1580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\svchost.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: EB	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 3388 base: 32C0000 value: 80	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 6760	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4652	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 5972	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 6040	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4652	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 5972	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 6040	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 5264	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread register set: target process: 3388

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\svchost.exe base: 640000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: D870000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 77E54690	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 32C0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B0661E0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27B353F0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26BA2700000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC135C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 17765D90000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B066B70000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27B36F80000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26BA2FC0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\svchost.exe base: 110000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF7488E4380	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_6E1F1DDB

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe

Source: explorer.exe, 00000009.00000000.281738316.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, rundll32.exe	Binary or memory string: ProgMan
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.282194369.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000016.00000000.328165200.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000017.00000000.337973154.0000017764860000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.341378723.000001B064D90000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001A.00000000.347882546.0000027B35A60000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001B.00000000.351845529.0000026BA0B90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: regsvr32.exe, 00000001.00000002.281094427.000000006E1F1000.00000040.00020000.sdmp, rundll32.exe, 00000013.00000002.433601274.000000006E1F1000.00000040.00020000.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL.LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserWvboxqemurunascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""Low\vmwarevirtual hdc:\321.txt"%S" "%S"ProgManversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%sMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_005D88BA cpuid

8_2_005D88BA

Queries device information via Setup API

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_6E1F1000

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\RuntimeBroker.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\RuntimeBroker.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\svchost.exe

8_2_00591688

Source: C:\Windows\System32\svchost.exe

8_2_00591688

Source: C:\Windows\System32\svchost.exe

8_2_00591688

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_6E1F1A53 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6E1F1A53

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000008.00000002.324561942.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434070223.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6760, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5264, type: MEMORY

ID:	322815
Product:	CloudBasic
Start time:	22:35:26
Start date:	25.11.2020
Sample:	api-cdef.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2d5b9149b114cadb78fe41559bed2a56
SHA1:	b59feb76712bd0e1c771d1e6a3100092beb189fa
SHA256:	8e26f5aa9819577eae281dc6e0f91703e82a8eb63c68f12a48071c8193ecdd90
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report api-cdef.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains