Loading ...

Play interactive tourEdit tour

Windows Analysis Report qT9Qk5aKTk.dll

Overview

General Information

Sample Name:qT9Qk5aKTk.dll
Analysis ID:481107
MD5:58d9e2906f42336e9bee1137b4cf5839
SHA1:7f29e42f6d317d7b11ad164a672e91e4515b5bc0
SHA256:a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Writes or reads registry keys via WMI
PE file has nameless sections
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Registers a DLL
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5004 cmdline: loaddll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2800 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1404 cmdline: rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5828 cmdline: regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 2760 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 1112 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6664 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 3340 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5784 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:82974 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 2448 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5440 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6296 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6440 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6540 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6840 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 820 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7160 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2736 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 816 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4844 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5680 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4196 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4868 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 580 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7044 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6660 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6668 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1744 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 77 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            25.2.rundll32.exe.510000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              25.0.rundll32.exe.510000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.400000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  19.2.rundll32.exe.400000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    25.0.rundll32.exe.510000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 38 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: qT9Qk5aKTk.dllVirustotal: Detection: 80%Perma Link
                      Source: qT9Qk5aKTk.dllMetadefender: Detection: 59%Perma Link
                      Source: qT9Qk5aKTk.dllReversingLabs: Detection: 82%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: qT9Qk5aKTk.dllAvira: detected
                      Source: 0.2.loaddll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 19.0.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 33.2.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 19.2.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 19.0.rundll32.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: qT9Qk5aKTk.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49723 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49741 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49742 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49748 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49778 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49780 version: TLS 1.2
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb& source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb) source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbm/pZ source: WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb3 source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbn.xP source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000023.00000003.363884828.00000000053A3000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbN~g source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbU^ source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdb= source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: Binary string: CoreUIComponents.pdbn'xY source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02F912D4
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_023E12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_023E12D4

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49824 -> 13.225.29.191:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49887 -> 13.225.29.191:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49887 -> 13.225.29.191:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49935 -> 13.225.29.204:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49935 -> 13.225.29.204:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49938 -> 13.225.29.191:80
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: de-ch[1].htm.6.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
                      Source: de-ch[1].htm.6.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
                      Source: de-ch[1].htm.6.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
                      Source: WerFault.exe, 00000023.00000002.429475012.0000000005347000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.453464879.0000000004DF2000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns#
                      Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns/fb#
                      Source: auction[1].htm.6.drString found in binary or memory: http://popup.taboola.com/german
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://amzn.to/2TTxhNg
                      Source: auction[1].htm.6.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
                      Source: auction[1].htm.6.drString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=_pGcdKMGIS.z.lCTqTjkg1MN5VDhw.LVmKPE.vsvy8xqR9tt
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
                      Source: auction[1].htm.6.drString found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://client-s.gateway.messenger.live.com
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562&amp;epi=de-ch
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                      Source: auction[1].htm.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                      Source: auction[1].htm.6.drString found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=ofrom5sGIS_KXxy9_JDp4mX9JHjHM.c541SmqMEFZwTH
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1631265095&amp;rver=7.0.6730.0&am
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/logout.srf?ct=1631265096&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1631265095&amp;rver=7.0.6730.0&amp;w
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/#qt=mru
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/about/en/download/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;Fotos
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://outlook.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/calendar
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
                      Source: auction[1].htm.6.drString found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
                      Source: auction[1].htm.6.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
                      Source: auction[1].htm.6.drString found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=8579855945c54b10b74180716ce798ce&amp;r=infopane&amp;i=3&
                      Source: imagestore.dat.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOgGQ4.img?h=368&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://support.skype.com
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://twitter.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://twitter.com/i/notifications;Ich
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
                      Source: iab2Data[1].json.6.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
                      Source: ~DF8EB834D22FF64704.TMP.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpo
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/die-schulen-sind-am-anschlag-ansteckungen-unter-ki
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/mit-dem-neubau-der-zurich-versicherung-ist-ein-wei
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-ein-engl%c3%a4nder-seine-schwangere-frau-vor-c
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/betrunkener-kia-fahrer-30-streift-polizeiauto-und-haut-ab/ar-AA
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/blaualgen-tr%c3%bcben-den-z%c3%bcrichsee-bei-freienbach/ar-AAOf
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/frau-hielt-schafe-im-badezimmer-ihrer-mietwohnung/ar-AAOhQkc?oc
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-z%c3%bcrich-beerdigt-westtangente-wetzikon/ar-AAOi8HP?oc
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/nach-13-positiven-tests-drei-klassen-m%c3%bcssen-in-quarant%c3%
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/v%c3%b6llig-absurd-f%c3%bcnftkl%c3%a4ssler-m%c3%bcssen-trotz-qu
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport/other/seit-corona-kommt-es-vermehrt-zu-t%c3%a4tlichkeiten/ar-AAOf1Pv
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skype.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de/download-skype
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
                      Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
                      Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
                      Source: unknownDNS traffic detected: queries for: www.msn.com
                      Source: global trafficHTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.7442770494067928 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUmLaOp9iEghuZm4P0dJw9hUfO3C-7WsvHHj8XxLUXDn8JvgU1zZASjuR4p3
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F07804453bf90da635cf952e3d393ab12.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F26b7c43e8735f7408c60e41fb7e91ecd.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F11b9f069e5e00ff6dd3050259af20493.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/ljDNkkzbV4a6qGMM6/1HExUGmQXVwO/frwWBEjdrZ4/d5S8UlSiYa0DzX/el9J2qXVIUyYCxMHHr91X/kizLttMGapdo5SvF/olXlCBP7aPqDsmB/ICQ2HKBamF1i_2Fxdj/ZsDmjnqFK/ytn9Ymr2xJl5Qy4kiXVc/IQDWlUGPzShrNYAjXzf/JPSl_2BD7pWwAJFNY_2B0f/3A3oDAh_2BF9_/2BxYBJaFI/UpWol9RI.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/cCdYQdt2tX8RhHk/neYfmVtOu_2BWHOxaX/ecV9VJIhq/XE4M5D_2FzTYipgQVzFy/24_2BtaWyVjXI2M_2FX/wa66wgzPqWCXC0kGRqyEUL/snesyfGZeTgvJ/569YwYUH/U86MzznZ70JhRKq9sWcaTd1/Hzb_2FFW0u/GZ5sESPD_2B5JLMQh/7K5kxREyrQ1n/mKmdzEvi70Tv5/6xorN.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/pHWWVyKJpE2g/nNZcTMutRbw/CCuOk7RvdVCDGz/STh4ftwA407S9VDDkvBy4/G7M_2BJ4E2bGBbf7/N4t3UKgsWntjM7M/mhCOIjxjlHyX4RUX7Q/Rdq3ib1hF/2fWqDSaJ9GA2yVZ_2Bgz/9iFlTX9OFyKHKxrjQJU/JYzhGNAUNkUKgLpHHU6bLf/nZUT_2BcMHeCkKwcWj/aMt.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/1mUl4vSxMxI/e7HhiI3PfruX2m/qXVt2BLImZpNU2AUWYoPx/KJXoqE51DtcFrNZ_/2BgDE50_2B2je1s/48lZWMnPdCpHd_2FFy/Vcq64rYip/9aN0bRvWizmkP5fXR2T3/jiHfK2wSGdTtZ8VP53I/SUMESuf_2FBQAkd3zXxfOT/_2BcxECgxKRoa/s8ZW5dhr/E0BgSy4u3Bh6HSi/j.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49723 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49741 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49742 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49748 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49778 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49780 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara match