Analysis Report waf3.dll

AV Detection:

Yara detected IcedID

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.200791539.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1492, type: MEMORY

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49731 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: waf3.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Networking:

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3546066851:1:3774:119; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=393635353433:686172647A; __io=0; _gid=67AFED4C8997Host: serpedfiler.uno
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3546066851:1:3774:119; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=393635353433:686172647A; __io=0; _gid=67AFED4C8997Host: serpedfiler.uno

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.20.184.68 104.20.184.68
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LDCOMNETFR LDCOMNETFR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3546066851:1:3774:119; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=393635353433:686172647A; __io=0; _gid=67AFED4C8997Host: serpedfiler.uno
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3546066851:1:3774:119; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=393635353433:686172647A; __io=0; _gid=67AFED4C8997Host: serpedfiler.uno

Found strings which match to known social media urls

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc1be4b25,0x01d715b4</date><accdate>0xc1be4b25,0x01d715b4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc1be4b25,0x01d715b4</date><accdate>0xc1be4b25,0x01d715b4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc1c30fdc,0x01d715b4</date><accdate>0xc1c30fdc,0x01d715b4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc1c30fdc,0x01d715b4</date><accdate>0xc1c30fdc,0x01d715b4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc1c57241,0x01d715b4</date><accdate>0xc1c57241,0x01d715b4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc1c57241,0x01d715b4</date><accdate>0xc1c57241,0x01d715b4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: aws.amazon.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 10 Mar 2021 04:52:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 64 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 73 65 72 70 65 64 66 69 6c 65 72 2e 75 6e 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at serpedfiler.uno Port 80</address></body></html>0

Urls found in memory or binary data

Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: {EB3E65B9-81A7-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: regsvr32.exe, 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp	String found in binary or memory: http://serpedfiler.uno/
Source: regsvr32.exe, 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp	String found in binary or memory: http://serpedfiler.uno/-
Source: regsvr32.exe, 00000002.00000002.200558328.0000000000E0C000.00000004.00000020.sdmp	String found in binary or memory: http://serpedfiler.uno/I
Source: regsvr32.exe, 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp	String found in binary or memory: http://serpedfiler.uno:80/j
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201096903.0000000002C90000.00000004.00000001.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.34/js
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.65
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.374
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.374/style-awsm.css
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: rundll32.exe, 00000001.00000003.198869746.00000239B663F000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logo
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/directories
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-cardsui
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/libra-head.js
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.376/librastandardlib
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.108/plc
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.112/aws-target-mediator.js
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: rundll32.exe, 00000001.00000002.202000977.00000239B65CB000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/N
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.200625359.0000000000EC0000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace?aws=hp
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: regsvr32.exe, 00000002.00000002.200533310.0000000000DDB000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/y
Source: auction[1].htm.6.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=.MQSwiAGIS_2BI62QHhGYcKzP4lJRlspEiaxnOpojh6sFLHr
Source: auction[1].htm.6.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=cBUnFNUGIS.JmTaELzOZiWIaWetizJ7AdiQuh_MnWJN4vtDQ
Source: auction[1].htm.6.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=ro1zXTIGIS98jMTgNL0AdBt.YyQzJRbbXzvmU7aRryiBkDW9
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.6.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: {EB3E65B9-81A7-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {EB3E65B9-81A7-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {EB3E65B9-81A7-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: rundll32.exe, 00000001.00000003.198832216.00000239B839E000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: auction[1].htm.6.dr	String found in binary or memory: https://fra1-ib.adnxs.com/click?ykuU8Za6yT_KS5TxlrrJPwAAAOCjcPk_ykuU8Za6yT_KS5TxlrrJP5Ofq6Gpxj0A87V1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=602422ab6ae9074ae28c1cce&bhid=5f624df5866933554eb1ec8a&a
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: auction[1].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.6.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=E_D1RrgGIS9fu4OJCzdUwrhDNz49oTkDUw0t7p311ASr
Source: auction[1].htm.6.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=UM9D09QGIS88AQ22519yHeWlPoND7n97spQ2F_f64xN3
Source: auction[1].htm.6.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=Vy6grtoGIS.OwGK86KrudibZtSvLjDkOa4wJDakemIi1
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1615351980&rver
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1615351980&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1615351981&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1615351980&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/AmazonECSAnywherePreview.html?hp=tile&so-exp=below
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/pi-week-2021.html?sc_icampaign=Event_m3y20_psc_core-infra_storage_aws-pi-
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.6.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: {EB3E65B9-81A7-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: auction[1].htm.6.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/9P.Ct.9zhth2jrAA.dI0Vg--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1
Source: auction[1].htm.6.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/CPerTze7Hjn9EnFhutjSNw--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1
Source: auction[1].htm.6.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/rE0FnLuyP8tx_n4ki4fI3A--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: auction[1].htm.6.dr	String found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2066586/9327884.jpg?bv=1
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.6.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=d9c1e375a86041409ce5a8a60fc8135a&r=infopane&i=2&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1epFhY.img?h=368&amp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {EB3E65B9-81A7-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/3400-stellen-sind-weg-eine-war-die-von-salvatore-tramontana/ar-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-l%c3%b6sung-selber-machen/ar-BB1eplko?ocid=hplocalnews
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/filippo-leutenegger-will-nochmals-f%c3%bcr-den-z%c3%bcrcher-sta
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/filippo-leutenegger-will-weitere-vier-jahre-stadtrat-bleiben/ar
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ich-werde-mit-e-mails-%c3%bcberh%c3%a4uft-und-auch-bedroht-wie-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/interview-die-home-office-pflicht-schadet-der-wirtschaft-enorm-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sbb-kippen-umstrittenen-gestaltungsplan-talevo/ar-BB1epgKQ?ocid
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/silvia-steiner-lockert-corona-massnahmen-an-den-z%c3%bcrcher-sc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/tempo-30-zonen-und-die-pandemie-setzen-dem-z%c3%bcrcher-verkehr
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/untersuchungen-des-z%c3%bcrcher-unispitals-entlasten-den-herzch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: auction[1].htm.6.dr	String found in binary or memory: https://www.xandr.com/privacy/platform-privacy-policy
Source: rundll32.exe, 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 143.204.3.74:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49731 version: TLS 1.2

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.200791539.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1492, type: MEMORY

System Summary:

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00000239B7FD13B8 NtQuerySystemInformation,RtlDeleteBoundaryDescriptor,		1_2_00000239B7FD13B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_010713B8 NtQuerySystemInformation,		2_2_010713B8

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00000239B7FD1100		1_2_00000239B7FD1100
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D87D49		1_2_00007FFB51D87D49
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D874BE		1_2_00007FFB51D874BE
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D90C6A		1_2_00007FFB51D90C6A
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D992B6		1_2_00007FFB51D992B6
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9267F		1_2_00007FFB51D9267F
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99668		1_2_00007FFB51D99668
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91A5D		1_2_00007FFB51D91A5D
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9125F		1_2_00007FFB51D9125F
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99A75		1_2_00007FFB51D99A75
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D96A78		1_2_00007FFB51D96A78
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92246		1_2_00007FFB51D92246
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D90E53		1_2_00007FFB51D90E53
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91655		1_2_00007FFB51D91655
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99E25		1_2_00007FFB51D99E25
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92634		1_2_00007FFB51D92634
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9160A		1_2_00007FFB51D9160A
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91A12		1_2_00007FFB51D91A12
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D911E9		1_2_00007FFB51D911E9
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D995E2		1_2_00007FFB51D995E2
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D8CDC0		1_2_00007FFB51D8CDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D8D5CC		1_2_00007FFB51D8D5CC
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D921CE		1_2_00007FFB51D921CE
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9CDA8		1_2_00007FFB51D9CDA8
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99DAA		1_2_00007FFB51D99DAA
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9119E		1_2_00007FFB51D9119E
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D999B5		1_2_00007FFB51D999B5
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92183		1_2_00007FFB51D92183
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D90D88		1_2_00007FFB51D90D88
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9195F		1_2_00007FFB51D9195F
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99D5F		1_2_00007FFB51D99D5F
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99942		1_2_00007FFB51D99942
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9154D		1_2_00007FFB51D9154D
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92538		1_2_00007FFB51D92538
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9B506		1_2_00007FFB51D9B506
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D8D110		1_2_00007FFB51D8D110
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D918E9		1_2_00007FFB51D918E9
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D910DD		1_2_00007FFB51D910DD
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D998F7		1_2_00007FFB51D998F7
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D920C8		1_2_00007FFB51D920C8
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D924C1		1_2_00007FFB51D924C1
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D914D7		1_2_00007FFB51D914D7
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99CA6		1_2_00007FFB51D99CA6
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D994A8		1_2_00007FFB51D994A8
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9189E		1_2_00007FFB51D9189E
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9A4B5		1_2_00007FFB51D9A4B5
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D90CBA		1_2_00007FFB51D90CBA
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9B487		1_2_00007FFB51D9B487
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9148C		1_2_00007FFB51D9148C
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92476		1_2_00007FFB51D92476
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99871		1_2_00007FFB51D99871
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92856		1_2_00007FFB51D92856
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9204E		1_2_00007FFB51D9204E
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99C33		1_2_00007FFB51D99C33
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9B438		1_2_00007FFB51D9B438
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92003		1_2_00007FFB51D92003
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91000		1_2_00007FFB51D91000
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91817		1_2_00007FFB51D91817
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9A017		1_2_00007FFB51D9A017
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D927E4		1_2_00007FFB51D927E4
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D993E5		1_2_00007FFB51D993E5
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99BE8		1_2_00007FFB51D99BE8
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91FC6		1_2_00007FFB51D91FC6
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D923BF		1_2_00007FFB51D923BF
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D913D6		1_2_00007FFB51D913D6
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D8FB9A		1_2_00007FFB51D8FB9A
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D9279A		1_2_00007FFB51D9279A
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91360		1_2_00007FFB51D91360
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92348		1_2_00007FFB51D92348
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99F42		1_2_00007FFB51D99F42
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D8E325		1_2_00007FFB51D8E325
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99726		1_2_00007FFB51D99726
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D90F27		1_2_00007FFB51D90F27
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99B33		1_2_00007FFB51D99B33
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D922FD		1_2_00007FFB51D922FD
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91315		1_2_00007FFB51D91315
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99319		1_2_00007FFB51D99319
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99EE1		1_2_00007FFB51D99EE1
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D92EF2		1_2_00007FFB51D92EF2
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D96AC7		1_2_00007FFB51D96AC7
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D906BC		1_2_00007FFB51D906BC
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D99AC0		1_2_00007FFB51D99AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D91AD3		1_2_00007FFB51D91AD3
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D916CE		1_2_00007FFB51D916CE
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB51D996B3		1_2_00007FFB51D996B3
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01071100		2_2_01071100

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Classification label

Source: classification engine

Classification label: mal64.troj.evad.winDLL@11/122@14/5

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF023EFD575FA5C9FD.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: waf3.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\waf3.dll',#1

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\waf3.dll'
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\waf3.dll',#1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\waf3.dll
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\waf3.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\waf3.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file has a high image base, often used for DLLs

Source: waf3.dll

Static PE information: Image base 0x180000000 > 0x60000000

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: waf3.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

PE file contains a debug data directory

Source: waf3.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

PE file contains an invalid checksum

Source: waf3.dll

Static PE information: real checksum: 0x29b89 should be: 0x2ef92

Registers a DLL

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\waf3.dll

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00000239B7FD1B94		1_2_00000239B7FD1B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01071B94		2_2_01071B94

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000001071C52 second address: 0000000001071C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000001071C73 second address: 0000000001071C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 dec eax 0x00000016 jmp dword ptr [00062319h] 0x0000001c dec eax 0x0000001d sub esp, 28h 0x00000020 dec eax 0x00000021 lea ecx, dword ptr [esp+30h] 0x00000025 call dword ptr [001308C9h] 0x0000002b dec eax 0x0000002c mov dword ptr [esp+08h], ecx 0x00000030 dec eax 0x00000031 sub esp, 18h 0x00000034 dec eax 0x00000035 test ecx, ecx 0x00000037 je 00007F88D8B57626h 0x0000003d dec esp 0x0000003f mov eax, dword ptr [00000030h] 0x00000046 xor eax, eax 0x00000048 dec eax 0x00000049 mov dword ptr [esp+08h], eax 0x0000004d dec ecx 0x0000004e mov edx, dword ptr [eax+000014A0h] 0x00000054 dec eax 0x00000055 mov dword ptr [esp+08h], edx 0x00000059 dec eax 0x0000005a test edx, edx 0x0000005c jne 00007F88D8AEDA1Ch 0x0000005e mov eax, C00000BBh 0x00000063 mov dword ptr [esp], eax 0x00000066 jmp 00007F88D8AEDA25h 0x00000068 jmp 00007F88D8AEDA24h 0x0000006a dec eax 0x0000006b mov dword ptr [ecx], edx 0x0000006d dec eax 0x0000006e add esp, 18h 0x00000071 ret 0x00000072 test eax, eax 0x00000074 jns 00007F88D8B3225Bh 0x0000007a call dword ptr [0012FE13h] 0x00000080 dec esp 0x00000081 mov edx, ecx 0x00000083 mov eax, 00000046h 0x00000088 test byte ptr [7FFE0308h], 00000001h 0x00000090 jne 00007F88D8AEDA15h
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000001071C88 second address: 0000000001071C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000001071C95 second address: 0000000001071C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F88D8AED9B4h 0x00000015 call dword ptr [0000245Eh] 0x0000001b dec eax 0x0000001c jmp dword ptr [00062319h] 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 dec eax 0x00000027 lea ecx, dword ptr [esp+30h] 0x0000002b call dword ptr [001308C9h] 0x00000031 dec eax 0x00000032 mov dword ptr [esp+08h], ecx 0x00000036 dec eax 0x00000037 sub esp, 18h 0x0000003a dec eax 0x0000003b test ecx, ecx 0x0000003d je 00007F88D8B57626h 0x00000043 dec esp 0x00000045 mov eax, dword ptr [00000030h] 0x0000004c xor eax, eax 0x0000004e dec eax 0x0000004f mov dword ptr [esp+08h], eax 0x00000053 dec ecx 0x00000054 mov edx, dword ptr [eax+000014A0h] 0x0000005a dec eax 0x0000005b mov dword ptr [esp+08h], edx 0x0000005f dec eax 0x00000060 test edx, edx 0x00000062 jne 00007F88D8AEDA1Ch 0x00000064 mov eax, C00000BBh 0x00000069 mov dword ptr [esp], eax 0x0000006c jmp 00007F88D8AEDA25h 0x0000006e jmp 00007F88D8AEDA24h 0x00000070 dec eax 0x00000071 mov dword ptr [ecx], edx 0x00000073 dec eax 0x00000074 add esp, 18h 0x00000077 ret 0x00000078 test eax, eax 0x0000007a jns 00007F88D8B3225Bh 0x00000080 call dword ptr [0012FE13h] 0x00000086 dec esp 0x00000087 mov edx, ecx 0x00000089 mov eax, 00000046h 0x0000008e test byte ptr [7FFE0308h], 00000001h 0x00000096 jne 00007F88D8AEDA15h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000239B7FD1C52 second address: 00000239B7FD1C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000239B7FD1C73 second address: 00000239B7FD1C88 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec ecx 0x0000000a sub eax, eax 0x0000000c dec eax 0x0000000d add edi, eax 0x0000000f call dword ptr [00002428h] 0x00000015 dec eax 0x00000016 jmp dword ptr [00062319h] 0x0000001c dec eax 0x0000001d sub esp, 28h 0x00000020 dec eax 0x00000021 lea ecx, dword ptr [esp+30h] 0x00000025 call dword ptr [001308C9h] 0x0000002b dec eax 0x0000002c mov dword ptr [esp+08h], ecx 0x00000030 dec eax 0x00000031 sub esp, 18h 0x00000034 dec eax 0x00000035 test ecx, ecx 0x00000037 je 00007F88D8B57626h 0x0000003d dec esp 0x0000003f mov eax, dword ptr [00000030h] 0x00000046 xor eax, eax 0x00000048 dec eax 0x00000049 mov dword ptr [esp+08h], eax 0x0000004d dec ecx 0x0000004e mov edx, dword ptr [eax+000014A0h] 0x00000054 dec eax 0x00000055 mov dword ptr [esp+08h], edx 0x00000059 dec eax 0x0000005a test edx, edx 0x0000005c jne 00007F88D8AEDA1Ch 0x0000005e mov eax, C00000BBh 0x00000063 mov dword ptr [esp], eax 0x00000066 jmp 00007F88D8AEDA25h 0x00000068 jmp 00007F88D8AEDA24h 0x0000006a dec eax 0x0000006b mov dword ptr [ecx], edx 0x0000006d dec eax 0x0000006e add esp, 18h 0x00000071 ret 0x00000072 test eax, eax 0x00000074 jns 00007F88D8B3225Bh 0x0000007a call dword ptr [0012FE13h] 0x00000080 dec esp 0x00000081 mov edx, ecx 0x00000083 mov eax, 00000046h 0x00000088 test byte ptr [7FFE0308h], 00000001h 0x00000090 jne 00007F88D8AEDA15h
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000239B7FD1C88 second address: 00000239B7FD1C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 00000239B7FD1C95 second address: 00000239B7FD1C52 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec esp 0x0000000d add esi, eax 0x0000000f dec ecx 0x00000010 sub edi, 01h 0x00000013 jne 00007F88D8AED9B4h 0x00000015 call dword ptr [0000245Eh] 0x0000001b dec eax 0x0000001c jmp dword ptr [00062319h] 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 dec eax 0x00000027 lea ecx, dword ptr [esp+30h] 0x0000002b call dword ptr [001308C9h] 0x00000031 dec eax 0x00000032 mov dword ptr [esp+08h], ecx 0x00000036 dec eax 0x00000037 sub esp, 18h 0x0000003a dec eax 0x0000003b test ecx, ecx 0x0000003d je 00007F88D8B57626h 0x00000043 dec esp 0x00000045 mov eax, dword ptr [00000030h] 0x0000004c xor eax, eax 0x0000004e dec eax 0x0000004f mov dword ptr [esp+08h], eax 0x00000053 dec ecx 0x00000054 mov edx, dword ptr [eax+000014A0h] 0x0000005a dec eax 0x0000005b mov dword ptr [esp+08h], edx 0x0000005f dec eax 0x00000060 test edx, edx 0x00000062 jne 00007F88D8AEDA1Ch 0x00000064 mov eax, C00000BBh 0x00000069 mov dword ptr [esp], eax 0x0000006c jmp 00007F88D8AEDA25h 0x0000006e jmp 00007F88D8AEDA24h 0x00000070 dec eax 0x00000071 mov dword ptr [ecx], edx 0x00000073 dec eax 0x00000074 add esp, 18h 0x00000077 ret 0x00000078 test eax, eax 0x0000007a jns 00007F88D8B3225Bh 0x00000080 call dword ptr [0012FE13h] 0x00000086 dec esp 0x00000087 mov edx, ecx 0x00000089 mov eax, 00000046h 0x0000008e test byte ptr [7FFE0308h], 00000001h 0x00000096 jne 00007F88D8AEDA15h

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00000239B7FD1B94 rdtsc

1_2_00000239B7FD1B94

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		1_2_00000239B7FD1F94
Source: C:\Windows\System32\regsvr32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		2_2_01071F94

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\regsvr32.exe TID: 5620

Thread sleep time: -60000s >= -30000s

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-txt-white lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: regsvr32.exe, 00000002.00000002.200543141.0000000000DF5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@A
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-right:30px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/webteam/homepage/Hybrid%20Solutions/VMWareCloud_Icon.55cb0bcef2c74b55acdb7155e3524e4b5436ec6e.png" alt="VMWareCloud_Icon" title="VMWareCloud_Icon" class="cq-dd-image" />
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: rundll32.exe, 00000001.00000002.202011648.00000239B65E2000.00000004.00000020.sdmp, regsvr32.exe, 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&amp;so-exp=below"> VMware Cloud on AWS<span>Build a hybrid cloud without custom hardware</span> </a>
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-right:45px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
Source: regsvr32.exe, 00000002.00000002.201119878.0000000002DB0000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&amp;so-exp=below"> Amazon RDS on VMware<span>Automate on-premises database management</span> </a>

Queries a list of all running processes

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00000239B7FD1B94 rdtsc

1_2_00000239B7FD1B94

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB51D992B6 VirtualAlloc ?,55555552,00000000,55555556,?,00007FFB51D879F6

1_2_00007FFB51D992B6

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 143.204.3.74 187			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 143.198.2.53 80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query the account / user name

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00000239B7FD1D48 GetUserNameA,LookupAccountNameW,

1_2_00000239B7FD1D48

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.200791539.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1492, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.200583737.0000000000E53000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.202064213.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.200791539.00000239B663F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1492, type: MEMORY