Windows Analysis Report 3FLps29lWm

Overview

General Information

Sample Name:	3FLps29lWm (renamed file extension from none to dll)
Analysis ID:	483800
MD5:	0636cf8dafa624e524ad748f38d22240
SHA1:	b347c65c5add7e2fb16fe30cedf46f57fd1eaa56
SHA256:	586999eb0a767ffedcc169d7aead09ebfc1528998def72fc9c5e4bfb245b1abc
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Sigma detected: System File Execution Location Anomaly

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sigma detected: Regsvr32 Command Line Without DLL

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to get notified if a device is plugged in / out

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Binary contains a suspicious time stamp

Potential key logger detected (key state polling based)

Registers a DLL

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3FLps29lWm.dll	Virustotal: Detection: 71%	Perma Link
Source: 3FLps29lWm.dll	Metadefender: Detection: 62%	Perma Link
Source: 3FLps29lWm.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: 3FLps29lWm.dll

Avira: detected

Machine Learning detection for sample

Source: 3FLps29lWm.dll

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60108F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,		43_2_00007FF60108F8FC
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60108F52C CryptProtectData,LocalAlloc,LocalFree,		43_2_00007FF60108F52C

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49817 version: TLS 1.2

Source: 3FLps29lWm.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdbUGP source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: dialer.pdbGCTL source: dialer.exe.9.dr
Source:	Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdb source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: rstrui.pdbGCTL source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: rstrui.pdb source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr
Source:	Binary string: dialer.pdb source: dialer.exe.9.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787B1570 EnterCriticalSection,UnregisterDeviceNotification,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SysFreeString,GetProcessHeap,HeapFree,

33_2_00007FF6787B1570

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005D290 FindFirstFileExW,		3_2_000000014005D290
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A5FEC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose,		27_2_00007FF7010A5FEC

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787A9374 GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,

33_2_00007FF6787A9374

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443

Source: de-ch[1].htm.8.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.262491511.000000000F788000.00000004.00000001.sdmp	String found in binary or memory: :2021091520210916: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1606e68c,0x01d7aa75</date><accdate>0x1606e68c,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1606e68c,0x01d7aa75</date><accdate>0x1606e68c,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.8.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.8.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.8.dr	String found in binary or memory: http://popup.taboola.com/german
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.8.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: auction[1].htm.8.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=21x0e_sGIS.ilIXooL5YSf3vyStZlGxuE54fPm01Hak3octV
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.8.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562&epi=de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.8.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=omzXyQIGIS9RP7Ab2JdB6y2LE1eAUMyavr58923CVFzR
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1631707355&rver=7.0.6730.0&am
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1631707356&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1631707355&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://marketing.outbrain.com/network/redir?p=v32QGHAgJSsc5iQUmc_8pzjvwpvCgGeqUtF8mqZlq22g-2MjMNlW2
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.8.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[1].htm.8.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.8.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=a4ddd93dd52947cd82240d0d2c0c03b6&r=infopane&i=1&
Source: imagestore.dat.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOrf3O.img?h=368&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: explorer.exe, 00000009.00000000.262491511.000000000F788000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpu
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/angst-vor-einer-gleisw%c3%bcste-der-kanton-und-die
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/bis-zu-2000-kiffer-k%c3%b6nnen-sich-in-z%c3%bcrich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/autofahrer-20-kommt-von-strasse-ab-und-prallt-gegen-baum/ar-AAO
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bundesgericht-will-brian-nicht-aus-der-einzelhaft-entlassen/ar-
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-greift-bei-impftram-einweihung-security-an-und-wird-festge
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/patrick-aebischer-ist-als-ehemaliger-pr%c3%a4sident-der-eth-lau
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/rega-bringt-schwer-verletzten-t%c3%b6fffahrer-ins-spital/ar-AAO
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/unglaublich-erleichtert-bev%c3%b6lkerung-wehrt-sich-erfolgreich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-apothekerinnen-werden-von-testwilligen-%c3%bcberra
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-d%c3%bcrfen-f%c3%bcr-die-wissenschaft-bald-legal-k
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/nadel-banane-trick/?utm_campaign=DECH-bananatrick&utm_so

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.4888902266943189 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1599143076228-3140.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fb4d84d7a-e7a0-4e71-a4e1-288b18f4b1a1_166a74d60a77edc1b295914db4bc79ac.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_433%2Cy_315/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F560ad3dcc869b1dfc2bac1c99d35ac81.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b4dbad0520957f16bd4e3f810f4c883.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_737%2Cy_504/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe17134d780918219c201cb1db8da2d3f.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5ac3b539d1cfda83dbe324033737805f.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49817 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A3C00 memset,memset,memset,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SetFocus,?GetDisplayNode@Element@DirectUI@@QEAAPEAUHGADGET__@@XZ,ForwardGadgetMessage,	33_2_00007FF6787A3C00
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879AF2C GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,memset,GetKeyState,GetKeyState,GetKeyState,	33_2_00007FF67879AF2C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879B6D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,RegGetValueW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetCurrentThreadId,GetCurrentThreadId,RegGetValueW,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,	33_2_00007FF67879B6D0

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787C9BE0 GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,OpenClipboard,GetLastError,GetCurrentThreadId,EmptyClipboard,GetCurrentThreadId,SetClipboardData,CloseClipboard,

33_2_00007FF6787C9BE0

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0000002B.00000002.479085760.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.235930456.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.448796911.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.246415321.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.228897543.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.270992989.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.259705303.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365201686.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.263971738.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.225554693.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338160858.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.404405311.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF701091D40 NtShutdownSystem,InitiateShutdownW,

27_2_00007FF701091D40

Detected potential crypto function

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140034870	3_2_0000000140034870
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003B220	3_2_000000014003B220
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140035270	3_2_0000000140035270
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140048AC0	3_2_0000000140048AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003A2E0	3_2_000000014003A2E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005C340	3_2_000000014005C340
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140065B80	3_2_0000000140065B80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006A4B0	3_2_000000014006A4B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400524B0	3_2_00000001400524B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140026CC0	3_2_0000000140026CC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004BD40	3_2_000000014004BD40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400495B0	3_2_00000001400495B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140036F30	3_2_0000000140036F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140069010	3_2_0000000140069010
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140001010	3_2_0000000140001010
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140066020	3_2_0000000140066020
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002F840	3_2_000000014002F840
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005D850	3_2_000000014005D850
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140064080	3_2_0000000140064080
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140010880	3_2_0000000140010880
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400688A0	3_2_00000001400688A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002D0D0	3_2_000000014002D0D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400018D0	3_2_00000001400018D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140016100	3_2_0000000140016100
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014001D100	3_2_000000014001D100
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002A110	3_2_000000014002A110
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014001D910	3_2_000000014001D910
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140015120	3_2_0000000140015120
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000B120	3_2_000000014000B120
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004F940	3_2_000000014004F940
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140039140	3_2_0000000140039140
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140023140	3_2_0000000140023140
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140057950	3_2_0000000140057950
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014001E170	3_2_000000014001E170
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140002980	3_2_0000000140002980
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400611A0	3_2_00000001400611A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400389A0	3_2_00000001400389A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400381A0	3_2_00000001400381A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002E1B0	3_2_000000014002E1B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014007C9D0	3_2_000000014007C9D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400139D0	3_2_00000001400139D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400319F0	3_2_00000001400319F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002EA00	3_2_000000014002EA00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022A00	3_2_0000000140022A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140067A40	3_2_0000000140067A40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140069A50	3_2_0000000140069A50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140007A60	3_2_0000000140007A60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003AAC0	3_2_000000014003AAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140062B00	3_2_0000000140062B00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140018300	3_2_0000000140018300
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002FB20	3_2_000000014002FB20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140031340	3_2_0000000140031340
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022340	3_2_0000000140022340
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140017B40	3_2_0000000140017B40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000BB40	3_2_000000014000BB40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140079360	3_2_0000000140079360
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004EB60	3_2_000000014004EB60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140005370	3_2_0000000140005370
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002CB80	3_2_000000014002CB80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B390	3_2_000000014006B390
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140054BA0	3_2_0000000140054BA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140033BB0	3_2_0000000140033BB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400263C0	3_2_00000001400263C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400123C0	3_2_00000001400123C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140063BD0	3_2_0000000140063BD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400663F0	3_2_00000001400663F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140023BF0	3_2_0000000140023BF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B41B	3_2_000000014006B41B
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B424	3_2_000000014006B424
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B42D	3_2_000000014006B42D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B436	3_2_000000014006B436
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B43D	3_2_000000014006B43D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140024440	3_2_0000000140024440
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140005C40	3_2_0000000140005C40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B446	3_2_000000014006B446
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005F490	3_2_000000014005F490
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022D00	3_2_0000000140022D00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140035520	3_2_0000000140035520
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140019D20	3_2_0000000140019D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140030530	3_2_0000000140030530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140023530	3_2_0000000140023530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140078D3F	3_2_0000000140078D3F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140031540	3_2_0000000140031540
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140033540	3_2_0000000140033540
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014007BD50	3_2_000000014007BD50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140078570	3_2_0000000140078570
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140019580	3_2_0000000140019580
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400205A0	3_2_00000001400205A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140025DB0	3_2_0000000140025DB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140071DC0	3_2_0000000140071DC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000C5C0	3_2_000000014000C5C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002DDE0	3_2_000000014002DDE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014007D5F0	3_2_000000014007D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140031DF0	3_2_0000000140031DF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000DDF0	3_2_000000014000DDF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140001620	3_2_0000000140001620
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140018630	3_2_0000000140018630
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140032650	3_2_0000000140032650
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140050E60	3_2_0000000140050E60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140064E80	3_2_0000000140064E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140016E80	3_2_0000000140016E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140079681	3_2_0000000140079681
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140007EA0	3_2_0000000140007EA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400286B0	3_2_00000001400286B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140006EB0	3_2_0000000140006EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400276C0	3_2_00000001400276C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002FEC0	3_2_000000014002FEC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140078EBB	3_2_0000000140078EBB
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002EED0	3_2_000000014002EED0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002B6E0	3_2_000000014002B6E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140053F20	3_2_0000000140053F20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022730	3_2_0000000140022730
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140029780	3_2_0000000140029780
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140018F80	3_2_0000000140018F80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003EFB0	3_2_000000014003EFB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400067B0	3_2_00000001400067B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400667D0	3_2_00000001400667D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140060FE0	3_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109AC30	27_2_00007FF70109AC30
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A361C	27_2_00007FF7010A361C
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A326C	27_2_00007FF7010A326C
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109DE58	27_2_00007FF70109DE58
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109FEA0	27_2_00007FF70109FEA0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109DAE0	27_2_00007FF70109DAE0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010AA8E0	27_2_00007FF7010AA8E0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109FAE4	27_2_00007FF70109FAE4
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701099CF8	27_2_00007FF701099CF8
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A1F24	27_2_00007FF7010A1F24
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701094D5C	27_2_00007FF701094D5C
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010AE3C4	27_2_00007FF7010AE3C4
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701098BEC	27_2_00007FF701098BEC
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010951DC	27_2_00007FF7010951DC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678785A2C	33_2_00007FF678785A2C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877B968	33_2_00007FF67877B968
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877CA98	33_2_00007FF67877CA98
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787D5AAC	33_2_00007FF6787D5AAC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B9BD0	33_2_00007FF6787B9BD0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A5BD0	33_2_00007FF6787A5BD0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A3C00	33_2_00007FF6787A3C00
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877DB78	33_2_00007FF67877DB78
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A1B90	33_2_00007FF6787A1B90
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEBA4	33_2_00007FF6787CEBA4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678772CF0	33_2_00007FF678772CF0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678791D00	33_2_00007FF678791D00
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AFCFC	33_2_00007FF6787AFCFC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787D7CF8	33_2_00007FF6787D7CF8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CFD10	33_2_00007FF6787CFD10
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877DDB8	33_2_00007FF67877DDB8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879CE20	33_2_00007FF67879CE20
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C8D4C	33_2_00007FF6787C8D4C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C4D60	33_2_00007FF6787C4D60
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ACEE8	33_2_00007FF6787ACEE8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678777EFC	33_2_00007FF678777EFC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879FF10	33_2_00007FF67879FF10
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678802F18	33_2_00007FF678802F18
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AAE90	33_2_00007FF6787AAE90
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C5E98	33_2_00007FF6787C5E98
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEFB4	33_2_00007FF6787CEFB4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A10C0	33_2_00007FF6787A10C0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A30C4	33_2_00007FF6787A30C4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67880B108	33_2_00007FF67880B108
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787F0114	33_2_00007FF6787F0114
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877E038	33_2_00007FF67877E038
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AF088	33_2_00007FF6787AF088
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AC1D0	33_2_00007FF6787AC1D0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6788011E0	33_2_00007FF6788011E0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A6218	33_2_00007FF6787A6218
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787BC188	33_2_00007FF6787BC188
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C32E0	33_2_00007FF6787C32E0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787802EC	33_2_00007FF6787802EC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787D3310	33_2_00007FF6787D3310
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B3330	33_2_00007FF6787B3330
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A83D0	33_2_00007FF6787A83D0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FD3D0	33_2_00007FF6787FD3D0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678772420	33_2_00007FF678772420
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678803358	33_2_00007FF678803358
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B4380	33_2_00007FF6787B4380
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A2510	33_2_00007FF6787A2510
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787E952C	33_2_00007FF6787E952C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787DD484	33_2_00007FF6787DD484
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B6478	33_2_00007FF6787B6478
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C04A4	33_2_00007FF6787C04A4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FF4B0	33_2_00007FF6787FF4B0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879E604	33_2_00007FF67879E604
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C15FC	33_2_00007FF6787C15FC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE61C	33_2_00007FF6787AE61C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B4630	33_2_00007FF6787B4630
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C7540	33_2_00007FF6787C7540
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879D544	33_2_00007FF67879D544
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787EA550	33_2_00007FF6787EA550
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CF570	33_2_00007FF6787CF570
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CB704	33_2_00007FF6787CB704
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877C714	33_2_00007FF67877C714
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678792660	33_2_00007FF678792660
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF2CD8	39_2_00007FF753EF2CD8
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE2400	39_2_00007FF753EE2400
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE2BD0	39_2_00007FF753EE2BD0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF53BC	39_2_00007FF753EF53BC
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EEFB90	39_2_00007FF753EEFB90
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFA35C	39_2_00007FF753EFA35C
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF3348	39_2_00007FF753EF3348
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE8B30	39_2_00007FF753EE8B30
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF8320	39_2_00007FF753EF8320
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF8AC0	39_2_00007FF753EF8AC0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFC8A0	39_2_00007FF753EFC8A0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF47B0	39_2_00007FF753EF47B0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF0FA0	39_2_00007FF753EF0FA0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EEAF54	39_2_00007FF753EEAF54
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EEBF00	39_2_00007FF753EEBF00
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE5E54	39_2_00007FF753EE5E54
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF5E50	39_2_00007FF753EF5E50
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE4E3C	39_2_00007FF753EE4E3C
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EECDB0	39_2_00007FF753EECDB0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010A1690	43_2_00007FF6010A1690
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101DA8C	43_2_00007FF60101DA8C
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60102EAB4	43_2_00007FF60102EAB4
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601014EC4	43_2_00007FF601014EC4
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010312E0	43_2_00007FF6010312E0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601054320	43_2_00007FF601054320
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010239A0	43_2_00007FF6010239A0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010235EC	43_2_00007FF6010235EC
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601028DF0	43_2_00007FF601028DF0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60102CE08	43_2_00007FF60102CE08
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60102A858	43_2_00007FF60102A858
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601028060	43_2_00007FF601028060
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010284C0	43_2_00007FF6010284C0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010264DC	43_2_00007FF6010264DC
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601016B94	43_2_00007FF601016B94
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010277C0	43_2_00007FF6010277C0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601015410	43_2_00007FF601015410

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: String function: 00007FF7010A5950 appears 60 times
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: String function: 00007FF678774DF0 appears 948 times
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: String function: 00007FF6787AF2F0 appears 31 times

Contains functionality to call native functions

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003BFF0 NtDuplicateObject,	3_2_000000014003BFF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003B220 NtReadVirtualMemory,RtlQueueApcWow64Thread,NtProtectVirtualMemory,RtlQueueApcWow64Thread,NtProtectVirtualMemory,NtProtectVirtualMemory,	3_2_000000014003B220
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140025280 NtDuplicateObject,	3_2_0000000140025280
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003A2E0 NtDuplicateObject,RtlQueueApcWow64Thread,	3_2_000000014003A2E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140025330 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	3_2_0000000140025330
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003BC10 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	3_2_000000014003BC10
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004E440 NtDelayExecution,	3_2_000000014004E440
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140046C90 NtClose,	3_2_0000000140046C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006A4B0 NtQuerySystemInformation,RtlAllocateHeap,	3_2_000000014006A4B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003C560 NtDuplicateObject,NtClose,	3_2_000000014003C560
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140039F50 NtReadVirtualMemory,	3_2_0000000140039F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003BF70 NtDuplicateObject,NtClose,	3_2_000000014003BF70
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701091D40 NtShutdownSystem,InitiateShutdownW,	27_2_00007FF701091D40
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE9C8 ZwQueryWnfStateData,	33_2_00007FF6787AE9C8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ABAC4 GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,NtQueryInformationProcess,GetProcessHeap,HeapFree,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787ABAC4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B9AC4 NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,	33_2_00007FF6787B9AC4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CCA70 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetDurationFormatEx,GetLastError,GetCurrentThreadId,	33_2_00007FF6787CCA70
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678810BDC NtOpenFile,RtlNtStatusToDosError,SetLastError,	33_2_00007FF678810BDC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AAC20 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787AAC20
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ADB48 memset,GetCurrentThreadId,NtSetInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787ADB48
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67878FB5C NtQueryInformationProcess,RtlNtStatusToDosError,	33_2_00007FF67878FB5C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEBA4 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,	33_2_00007FF6787CEBA4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CCCBC memset,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787CCCBC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A9D1C NtQuerySystemInformation,RtlNtStatusToDosError,	33_2_00007FF6787A9D1C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67878CC7C memset,GetCurrentThreadId,EtwCheckCoverage,EtwCheckCoverage,EtwCheckCoverage,NtSetInformationProcess,GetCurrentThreadId,NtQueryInformationProcess,RtlNtStatusToDosError,RtlNtStatusToDosError,GetCurrentThreadId,CloseHandle,	33_2_00007FF67878CC7C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A9DE0 NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,ReadProcessMemory,GetLastError,GetCurrentThreadId,ReadProcessMemory,GetLastError,GetCurrentThreadId,ReadProcessMemory,GetLastError,GetCurrentThreadId,	33_2_00007FF6787A9DE0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FDF04 DuplicateHandle,GetLastError,GetCurrentThreadId,NtQueryObject,RtlNtStatusToDosError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,CloseHandle,	33_2_00007FF6787FDF04
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C5E98 EtwCheckCoverage,NtSetInformationProcess,HeapSetInformation,CommandLineToArgvW,OpenEventW,SetEvent,CloseHandle,SetProcessShutdownParameters,RegisterApplicationRestart,InitProcessPriv,GetCurrentThreadId,InitThread,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,LoadAcceleratorsW,ReleaseMutex,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree,UnInitThread,UnInitProcessPriv,FreeLibrary,	33_2_00007FF6787C5E98
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ABFB0 PcwCreateQuery,GetCurrentThreadId,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetCurrentThreadId,NtQueryTimerResolution,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787ABFB0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEFB4 GetCurrentThreadId,memset,NtQuerySystemInformation,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,	33_2_00007FF6787CEFB4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B9118 NtQuerySystemInformation,	33_2_00007FF6787B9118
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877B1DC NtPowerInformation,RtlNtStatusToDosError,	33_2_00007FF67877B1DC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879B1E8 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF67879B1E8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE234 GetCurrentThreadId,NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787AE234
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6788102EC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,	33_2_00007FF6788102EC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787802EC GetLogicalProcessorInformationEx,GetLastError,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLogicalProcessorInformationEx,GetLastError,GetCurrentThreadId,RtlNumberOfSetBitsUlongPtr,GetCurrentThreadId,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetProcessHeap,HeapFree,	33_2_00007FF6787802EC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE334 GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787AE334
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FE27C DuplicateHandle,GetLastError,NtQueryInformationFile,RtlNtStatusToDosError,GetFileType,CloseHandle,	33_2_00007FF6787FE27C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AA46C GetLogicalProcessorInformationEx,GetProcessHeap,HeapAlloc,memset,NtPowerInformation,RtlNtStatusToDosError,GetProcessHeap,HeapFree,GetCurrentThreadId,GetProcessHeap,HeapFree,GetCurrentThreadId,	33_2_00007FF6787AA46C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B6478 PcwCreateQuery,GetCurrentThreadId,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,PcwCreateQuery,GetCurrentThreadId,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,NtQueryTimerResolution,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787B6478
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787905BC memset,NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787905BC

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010ACA2C: CreateFileW,DeviceIoControl,CloseHandle,CoCreateInstance,CloseHandle,

27_2_00007FF7010ACA2C

Sample file is different than original file name gathered from version info

Source: 3FLps29lWm.dll

Binary or memory string: OriginalFilenamekbdyj% vs 3FLps29lWm.dll

PE file contains strange resources

Source: rstrui.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rstrui.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rstrui.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dialer.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE file contains more sections than normal

Source: DUI70.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: 3FLps29lWm.dll	Static PE information: Number of sections : 47 > 10
Source: WINMM.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: SRCORE.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: TAPI32.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: MFC42u.dll.9.dr	Static PE information: Number of sections : 48 > 10

Source: 3FLps29lWm.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SRCORE.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3FLps29lWm.dll	Virustotal: Detection: 71%
Source: 3FLps29lWm.dll	Metadefender: Detection: 62%
Source: 3FLps29lWm.dll	ReversingLabs: Detection: 75%

Source: 3FLps29lWm.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\3FLps29lWm.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedAnimation
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6448 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedPaint
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginPanningFeedback
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintClear
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintInit
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintRenderAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintSetAlpha
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rstrui.exe C:\Windows\system32\rstrui.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\UIPe\rstrui.exe C:\Users\user\AppData\Local\UIPe\rstrui.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Taskmgr.exe C:\Windows\system32\Taskmgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\yeShxe\mstsc.exe C:\Users\user\AppData\Local\yeShxe\mstsc.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedPaint	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginPanningFeedback	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintClear	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintInit	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintRenderAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintSetAlpha	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6448 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rstrui.exe C:\Windows\system32\rstrui.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\UIPe\rstrui.exe C:\Users\user\AppData\Local\UIPe\rstrui.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Taskmgr.exe C:\Windows\system32\Taskmgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\yeShxe\mstsc.exe C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A7798 LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,		27_2_00007FF7010A7798
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879E0A4 GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentThreadId,AdjustTokenPrivileges,GetLastError,GetCurrentThreadId,CloseHandle,GetProcessHeap,HeapFree,		33_2_00007FF67879E0A4

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3E5B0442C91F7FC3.TMP

Jump to behavior

Source: Taskmgr.exe.9.dr	Binary string: Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\device\mup\WdcAppHistoryMonitor::GetColumnTexth:mm:ssWdcAppHistoryMonitor::UpdateInitializeAppHistoryMessageWindowWdcAppHistoryMonitor::_ReconcileImmersiveApplicationWdcAppHistoryMonitor::_ReconcileSingleAppPackageWdcAppHistoryMonitor::_ReconcileMultiAppPackageWdcAppHistoryMonitor::_GetPackageIconPathAppXManifest.xmlLogoWdcAppHistoryMonitor::_GetIconAndBackgroundColorForApplicationWdcAppHistoryMonitor::_CreateAppHistoryEntryWdcAppHistoryMonitor::_CreateApplicationEntryWdcAppHistoryMonitor::_CreateAndInitIconItemWdcAppHistoryMonitor::_SetIconWdcAppHistoryMonitor::_SetStackedIconWdcAppHistoryMonitor::_GetDwmDosPath%s%s\dwm.exeWdcAppHistoryMonitor::_AddDesktopItemEntry%windir%\system32\svchost.exeWdcAppHistoryMonitor::_AddAppMappingKeyByKeyWdcAppHistoryMonitor::_MapAndGetPackageNameKeyWdcAppHistoryMonitor::_MapAndGetSpecialItemEntrySystem\System interruptssvchost.exe [Uninstalled AppsRemote running AppsWdcAppHistoryMonitor::_MapAndGetDesktopItemEntryWdcAppHistoryMonitor::_CheckAndProcessShortExePathsWdcAppHistoryMonitor::_AddAppMappingKeyWdcAppHistoryMonitor::_RemoveAppMappingKeyByPrimarykeyWdcAppHistoryMonitor::_IsImmersiveApplicationInstallDateSoftware\Microsoft\Windows NT\CurrentVersionLastUpdateTextWdcAppHistoryMonitor::_RefreshLastUpdatedTextWdcAppHistoryMonitor::_RetireOldUsageDataWdcAppHistoryMonitor::_RegisterForSrumDataWdcAppHistoryMonitor::_ProcessNetworkSrumRecordWdcAppHistoryMonitor::_UpdateServiceMappingWdcAppHistoryMonitor::_GetServiceExePathWdcAppHistoryMonitor::_InitializeDataSourcesWdcAppHistoryMonitor::_ProcessCpuSrumRecordWdcAppHistoryMonitor::_ProcessNotificationsSrumRecordAppHistoryStringCache::InitializeAppHistoryStringCache::AddI
Source: Taskmgr.exe.9.dr	Binary string: tX~QDUI_GetElementScreenBoundsbase\diagnosis\pdui\atm\utils.cppTmFormatMessageDUI_GetElementBoundsIPropertyStore_GetStringIPropertyStore_GetBSTRIPropertyStore_GetUInt32Software\Microsoft\Windows\CurrentVersion\StartupNotifyResetNotificationEnableStartupAppNotificationCAdapter::IncreaseArraySizeCAdapter::InitCOMCAdapter::RefreshAdapterTableCAdapter::GetAdapterListCAdapter::GetAdapterInfoCAdapter::InitializeAdapter\Device\%sCAdapter::GetNetworkStatusCAdapter::NormalizeValueCAdapter::SetNetworkProperties- %sCAdapter::WifiSetPropertiesSoftware\Microsoft\Windows\CurrentVersion\Control Panel\Settings\NetworkWiFiToWlanCAdapter::WWanSetPropertiesCAdapter::WwanUpdatePropertiesCAdapter::IsDomainAuthenticatedCAdapter::BluetoothSetPropertiesCAdapter::EthernetSetPropertiesCAdapter::GetNetworkTitleNetCfgInstanceIdCharacteristics

Source: classification engine

Classification label: mal100.troj.evad.winDLL@43/102@13/6

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010ACA2C CreateFileW,DeviceIoControl,CloseHandle,CoCreateInstance,CloseHandle,

27_2_00007FF7010ACA2C

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787D7A00 FormatMessageW,GetLastError,

33_2_00007FF6787D7A00

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_000000014003C240 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

3_2_000000014003C240

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1

Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0331cfef-83a8-ddec-d68b-60fc492028d0}
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{897aaf70-ec98-d9a5-5c72-a2485b288656}

Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe

Code function: 43_2_00007FF601014EC4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,free,free,

43_2_00007FF601014EC4

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 3FLps29lWm.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 3FLps29lWm.dll

Static file information: File size 1646592 > 1048576

Source: 3FLps29lWm.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdbUGP source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: dialer.pdbGCTL source: dialer.exe.9.dr
Source:	Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdb source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: rstrui.pdbGCTL source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: rstrui.pdb source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr
Source:	Binary string: dialer.pdb source: dialer.exe.9.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000140056A4D push rdi; ret

3_2_0000000140056A4E

PE file contains sections with non-standard names

Source: 3FLps29lWm.dll	Static PE information: section name: .qkm
Source: 3FLps29lWm.dll	Static PE information: section name: .cvjb
Source: 3FLps29lWm.dll	Static PE information: section name: .tlmkv
Source: 3FLps29lWm.dll	Static PE information: section name: .wucsxe
Source: 3FLps29lWm.dll	Static PE information: section name: .fltwtj
Source: 3FLps29lWm.dll	Static PE information: section name: .sfplio
Source: 3FLps29lWm.dll	Static PE information: section name: .rpg
Source: 3FLps29lWm.dll	Static PE information: section name: .bewzc
Source: 3FLps29lWm.dll	Static PE information: section name: .vksvaw
Source: 3FLps29lWm.dll	Static PE information: section name: .wmhg
Source: 3FLps29lWm.dll	Static PE information: section name: .kswemc
Source: 3FLps29lWm.dll	Static PE information: section name: .kaxfk
Source: 3FLps29lWm.dll	Static PE information: section name: .pjf
Source: 3FLps29lWm.dll	Static PE information: section name: .retjqj
Source: 3FLps29lWm.dll	Static PE information: section name: .mizn
Source: 3FLps29lWm.dll	Static PE information: section name: .rsrub
Source: 3FLps29lWm.dll	Static PE information: section name: .susbqq
Source: 3FLps29lWm.dll	Static PE information: section name: .jeojcw
Source: 3FLps29lWm.dll	Static PE information: section name: .vwl
Source: 3FLps29lWm.dll	Static PE information: section name: .mub
Source: 3FLps29lWm.dll	Static PE information: section name: .xwxpmb
Source: 3FLps29lWm.dll	Static PE information: section name: .aea
Source: 3FLps29lWm.dll	Static PE information: section name: .lwpch
Source: 3FLps29lWm.dll	Static PE information: section name: .nzgp
Source: 3FLps29lWm.dll	Static PE information: section name: .qimx
Source: 3FLps29lWm.dll	Static PE information: section name: .tkvgvo
Source: 3FLps29lWm.dll	Static PE information: section name: .tgipu
Source: 3FLps29lWm.dll	Static PE information: section name: .uwr
Source: 3FLps29lWm.dll	Static PE information: section name: .agscf
Source: 3FLps29lWm.dll	Static PE information: section name: .idba
Source: 3FLps29lWm.dll	Static PE information: section name: .txn
Source: 3FLps29lWm.dll	Static PE information: section name: .amfg
Source: 3FLps29lWm.dll	Static PE information: section name: .fgnmv
Source: 3FLps29lWm.dll	Static PE information: section name: .iqmp
Source: 3FLps29lWm.dll	Static PE information: section name: .hkwa
Source: 3FLps29lWm.dll	Static PE information: section name: .imjyew
Source: 3FLps29lWm.dll	Static PE information: section name: .qlv
Source: 3FLps29lWm.dll	Static PE information: section name: .vofo
Source: 3FLps29lWm.dll	Static PE information: section name: .emh
Source: 3FLps29lWm.dll	Static PE information: section name: .boy
Source: 3FLps29lWm.dll	Static PE information: section name: .twwn
Source: Taskmgr.exe.9.dr	Static PE information: section name: .imrsiv
Source: Taskmgr.exe.9.dr	Static PE information: section name: .didat
Source: mstsc.exe.9.dr	Static PE information: section name: .didat
Source: SRCORE.dll.9.dr	Static PE information: section name: .qkm
Source: SRCORE.dll.9.dr	Static PE information: section name: .cvjb
Source: SRCORE.dll.9.dr	Static PE information: section name: .tlmkv
Source: SRCORE.dll.9.dr	Static PE information: section name: .wucsxe
Source: SRCORE.dll.9.dr	Static PE information: section name: .fltwtj
Source: SRCORE.dll.9.dr	Static PE information: section name: .sfplio
Source: SRCORE.dll.9.dr	Static PE information: section name: .rpg
Source: SRCORE.dll.9.dr	Static PE information: section name: .bewzc
Source: SRCORE.dll.9.dr	Static PE information: section name: .vksvaw
Source: SRCORE.dll.9.dr	Static PE information: section name: .wmhg
Source: SRCORE.dll.9.dr	Static PE information: section name: .kswemc
Source: SRCORE.dll.9.dr	Static PE information: section name: .kaxfk
Source: SRCORE.dll.9.dr	Static PE information: section name: .pjf
Source: SRCORE.dll.9.dr	Static PE information: section name: .retjqj
Source: SRCORE.dll.9.dr	Static PE information: section name: .mizn
Source: SRCORE.dll.9.dr	Static PE information: section name: .rsrub
Source: SRCORE.dll.9.dr	Static PE information: section name: .susbqq
Source: SRCORE.dll.9.dr	Static PE information: section name: .jeojcw
Source: SRCORE.dll.9.dr	Static PE information: section name: .vwl
Source: SRCORE.dll.9.dr	Static PE information: section name: .mub
Source: SRCORE.dll.9.dr	Static PE information: section name: .xwxpmb
Source: SRCORE.dll.9.dr	Static PE information: section name: .aea
Source: SRCORE.dll.9.dr	Static PE information: section name: .lwpch
Source: SRCORE.dll.9.dr	Static PE information: section name: .nzgp
Source: SRCORE.dll.9.dr	Static PE information: section name: .qimx
Source: SRCORE.dll.9.dr	Static PE information: section name: .tkvgvo
Source: SRCORE.dll.9.dr	Static PE information: section name: .tgipu
Source: SRCORE.dll.9.dr	Static PE information: section name: .uwr
Source: SRCORE.dll.9.dr	Static PE information: section name: .agscf
Source: SRCORE.dll.9.dr	Static PE information: section name: .idba
Source: SRCORE.dll.9.dr	Static PE information: section name: .txn
Source: SRCORE.dll.9.dr	Static PE information: section name: .amfg
Source: SRCORE.dll.9.dr	Static PE information: section name: .fgnmv
Source: SRCORE.dll.9.dr	Static PE information: section name: .iqmp
Source: SRCORE.dll.9.dr	Static PE information: section name: .hkwa
Source: SRCORE.dll.9.dr	Static PE information: section name: .imjyew
Source: SRCORE.dll.9.dr	Static PE information: section name: .qlv
Source: SRCORE.dll.9.dr	Static PE information: section name: .vofo
Source: SRCORE.dll.9.dr	Static PE information: section name: .emh
Source: SRCORE.dll.9.dr	Static PE information: section name: .boy
Source: SRCORE.dll.9.dr	Static PE information: section name: .twwn
Source: SRCORE.dll.9.dr	Static PE information: section name: .bfj
Source: DUI70.dll.9.dr	Static PE information: section name: .qkm
Source: DUI70.dll.9.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.9.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.9.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.9.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.9.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.9.dr	Static PE information: section name: .rpg
Source: DUI70.dll.9.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.9.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.9.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.9.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.9.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.9.dr	Static PE information: section name: .pjf
Source: DUI70.dll.9.dr	Static PE information: section name: .retjqj
Source: DUI70.dll.9.dr	Static PE information: section name: .mizn
Source: DUI70.dll.9.dr	Static PE information: section name: .rsrub
Source: DUI70.dll.9.dr	Static PE information: section name: .susbqq
Source: DUI70.dll.9.dr	Static PE information: section name: .jeojcw
Source: DUI70.dll.9.dr	Static PE information: section name: .vwl
Source: DUI70.dll.9.dr	Static PE information: section name: .mub
Source: DUI70.dll.9.dr	Static PE information: section name: .xwxpmb
Source: DUI70.dll.9.dr	Static PE information: section name: .aea
Source: DUI70.dll.9.dr	Static PE information: section name: .lwpch
Source: DUI70.dll.9.dr	Static PE information: section name: .nzgp
Source: DUI70.dll.9.dr	Static PE information: section name: .qimx
Source: DUI70.dll.9.dr	Static PE information: section name: .tkvgvo
Source: DUI70.dll.9.dr	Static PE information: section name: .tgipu
Source: DUI70.dll.9.dr	Static PE information: section name: .uwr
Source: DUI70.dll.9.dr	Static PE information: section name: .agscf
Source: DUI70.dll.9.dr	Static PE information: section name: .idba
Source: DUI70.dll.9.dr	Static PE information: section name: .txn
Source: DUI70.dll.9.dr	Static PE information: section name: .amfg
Source: DUI70.dll.9.dr	Static PE information: section name: .fgnmv
Source: DUI70.dll.9.dr	Static PE information: section name: .iqmp
Source: DUI70.dll.9.dr	Static PE information: section name: .hkwa
Source: DUI70.dll.9.dr	Static PE information: section name: .imjyew
Source: DUI70.dll.9.dr	Static PE information: section name: .qlv
Source: DUI70.dll.9.dr	Static PE information: section name: .vofo
Source: DUI70.dll.9.dr	Static PE information: section name: .emh
Source: DUI70.dll.9.dr	Static PE information: section name: .boy
Source: DUI70.dll.9.dr	Static PE information: section name: .twwn
Source: DUI70.dll.9.dr	Static PE information: section name: .szc
Source: MFC42u.dll.9.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.9.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.9.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.9.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.9.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.9.dr	Static PE information: section name: .sfplio
Source: MFC42u.dll.9.dr	Static PE information: section name: .rpg
Source: MFC42u.dll.9.dr	Static PE information: section name: .bewzc
Source: MFC42u.dll.9.dr	Static PE information: section name: .vksvaw
Source: MFC42u.dll.9.dr	Static PE information: section name: .wmhg
Source: MFC42u.dll.9.dr	Static PE information: section name: .kswemc
Source: MFC42u.dll.9.dr	Static PE information: section name: .kaxfk
Source: MFC42u.dll.9.dr	Static PE information: section name: .pjf
Source: MFC42u.dll.9.dr	Static PE information: section name: .retjqj
Source: MFC42u.dll.9.dr	Static PE information: section name: .mizn
Source: MFC42u.dll.9.dr	Static PE information: section name: .rsrub
Source: MFC42u.dll.9.dr	Static PE information: section name: .susbqq
Source: MFC42u.dll.9.dr	Static PE information: section name: .jeojcw
Source: MFC42u.dll.9.dr	Static PE information: section name: .vwl
Source: MFC42u.dll.9.dr	Static PE information: section name: .mub
Source: MFC42u.dll.9.dr	Static PE information: section name: .xwxpmb
Source: MFC42u.dll.9.dr	Static PE information: section name: .aea
Source: MFC42u.dll.9.dr	Static PE information: section name: .lwpch
Source: MFC42u.dll.9.dr	Static PE information: section name: .nzgp
Source: MFC42u.dll.9.dr	Static PE information: section name: .qimx
Source: MFC42u.dll.9.dr	Static PE information: section name: .tkvgvo
Source: MFC42u.dll.9.dr	Static PE information: section name: .tgipu
Source: MFC42u.dll.9.dr	Static PE information: section name: .uwr
Source: MFC42u.dll.9.dr	Static PE information: section name: .agscf
Source: MFC42u.dll.9.dr	Static PE information: section name: .idba
Source: MFC42u.dll.9.dr	Static PE information: section name: .txn
Source: MFC42u.dll.9.dr	Static PE information: section name: .amfg
Source: MFC42u.dll.9.dr	Static PE information: section name: .fgnmv
Source: MFC42u.dll.9.dr	Static PE information: section name: .iqmp
Source: MFC42u.dll.9.dr	Static PE information: section name: .hkwa
Source: MFC42u.dll.9.dr	Static PE information: section name: .imjyew
Source: MFC42u.dll.9.dr	Static PE information: section name: .qlv
Source: MFC42u.dll.9.dr	Static PE information: section name: .vofo
Source: MFC42u.dll.9.dr	Static PE information: section name: .emh
Source: MFC42u.dll.9.dr	Static PE information: section name: .boy
Source: MFC42u.dll.9.dr	Static PE information: section name: .twwn
Source: MFC42u.dll.9.dr	Static PE information: section name: .atgtj
Source: WINMM.dll.9.dr	Static PE information: section name: .qkm
Source: WINMM.dll.9.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.9.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.9.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.9.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.9.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.9.dr	Static PE information: section name: .rpg
Source: WINMM.dll.9.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.9.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.9.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.9.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.9.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.9.dr	Static PE information: section name: .pjf
Source: WINMM.dll.9.dr	Static PE information: section name: .retjqj
Source: WINMM.dll.9.dr	Static PE information: section name: .mizn
Source: WINMM.dll.9.dr	Static PE information: section name: .rsrub
Source: WINMM.dll.9.dr	Static PE information: section name: .susbqq
Source: WINMM.dll.9.dr	Static PE information: section name: .jeojcw
Source: WINMM.dll.9.dr	Static PE information: section name: .vwl
Source: WINMM.dll.9.dr	Static PE information: section name: .mub
Source: WINMM.dll.9.dr	Static PE information: section name: .xwxpmb
Source: WINMM.dll.9.dr	Static PE information: section name: .aea
Source: WINMM.dll.9.dr	Static PE information: section name: .lwpch
Source: WINMM.dll.9.dr	Static PE information: section name: .nzgp
Source: WINMM.dll.9.dr	Static PE information: section name: .qimx
Source: WINMM.dll.9.dr	Static PE information: section name: .tkvgvo
Source: WINMM.dll.9.dr	Static PE information: section name: .tgipu
Source: WINMM.dll.9.dr	Static PE information: section name: .uwr
Source: WINMM.dll.9.dr	Static PE information: section name: .agscf
Source: WINMM.dll.9.dr	Static PE information: section name: .idba
Source: WINMM.dll.9.dr	Static PE information: section name: .txn
Source: WINMM.dll.9.dr	Static PE information: section name: .amfg
Source: WINMM.dll.9.dr	Static PE information: section name: .fgnmv
Source: WINMM.dll.9.dr	Static PE information: section name: .iqmp
Source: WINMM.dll.9.dr	Static PE information: section name: .hkwa
Source: WINMM.dll.9.dr	Static PE information: section name: .imjyew
Source: WINMM.dll.9.dr	Static PE information: section name: .qlv
Source: WINMM.dll.9.dr	Static PE information: section name: .vofo
Source: WINMM.dll.9.dr	Static PE information: section name: .emh
Source: WINMM.dll.9.dr	Static PE information: section name: .boy
Source: WINMM.dll.9.dr	Static PE information: section name: .twwn
Source: WINMM.dll.9.dr	Static PE information: section name: .ukfrns
Source: TAPI32.dll.9.dr	Static PE information: section name: .qkm
Source: TAPI32.dll.9.dr	Static PE information: section name: .cvjb
Source: TAPI32.dll.9.dr	Static PE information: section name: .tlmkv
Source: TAPI32.dll.9.dr	Static PE information: section name: .wucsxe
Source: TAPI32.dll.9.dr	Static PE information: section name: .fltwtj
Source: TAPI32.dll.9.dr	Static PE information: section name: .sfplio
Source: TAPI32.dll.9.dr	Static PE information: section name: .rpg
Source: TAPI32.dll.9.dr	Static PE information: section name: .bewzc
Source: TAPI32.dll.9.dr	Static PE information: section name: .vksvaw
Source: TAPI32.dll.9.dr	Static PE information: section name: .wmhg
Source: TAPI32.dll.9.dr	Static PE information: section name: .kswemc
Source: TAPI32.dll.9.dr	Static PE information: section name: .kaxfk
Source: TAPI32.dll.9.dr	Static PE information: section name: .pjf
Source: TAPI32.dll.9.dr	Static PE information: section name: .retjqj
Source: TAPI32.dll.9.dr	Static PE information: section name: .mizn
Source: TAPI32.dll.9.dr	Static PE information: section name: .rsrub
Source: TAPI32.dll.9.dr	Static PE information: section name: .susbqq
Source: TAPI32.dll.9.dr	Static PE information: section name: .jeojcw
Source: TAPI32.dll.9.dr	Static PE information: section name: .vwl
Source: TAPI32.dll.9.dr	Static PE information: section name: .mub
Source: TAPI32.dll.9.dr	Static PE information: section name: .xwxpmb
Source: TAPI32.dll.9.dr	Static PE information: section name: .aea
Source: TAPI32.dll.9.dr	Static PE information: section name: .lwpch
Source: TAPI32.dll.9.dr	Static PE information: section name: .nzgp
Source: TAPI32.dll.9.dr	Static PE information: section name: .qimx
Source: TAPI32.dll.9.dr	Static PE information: section name: .tkvgvo
Source: TAPI32.dll.9.dr	Static PE information: section name: .tgipu
Source: TAPI32.dll.9.dr	Static PE information: section name: .uwr
Source: TAPI32.dll.9.dr	Static PE information: section name: .agscf
Source: TAPI32.dll.9.dr	Static PE information: section name: .idba
Source: TAPI32.dll.9.dr	Static PE information: section name: .txn
Source: TAPI32.dll.9.dr	Static PE information: section name: .amfg
Source: TAPI32.dll.9.dr	Static PE information: section name: .fgnmv
Source: TAPI32.dll.9.dr	Static PE information: section name: .iqmp
Source: TAPI32.dll.9.dr	Static PE information: section name: .hkwa
Source: TAPI32.dll.9.dr	Static PE information: section name: .imjyew
Source: TAPI32.dll.9.dr	Static PE information: section name: .qlv
Source: TAPI32.dll.9.dr	Static PE information: section name: .vofo
Source: TAPI32.dll.9.dr	Static PE information: section name: .emh
Source: TAPI32.dll.9.dr	Static PE information: section name: .boy
Source: TAPI32.dll.9.dr	Static PE information: section name: .twwn
Source: TAPI32.dll.9.dr	Static PE information: section name: .tgm

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe

Code function: 39_2_00007FF753EF95B0 #337,memset,#1463,SetErrorMode,LoadLibraryW,GetProcAddress,SetErrorMode,

39_2_00007FF753EF95B0

PE file contains an invalid checksum

Source: DUI70.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1e1f15
Source: 3FLps29lWm.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1a0dca
Source: WINMM.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1956b4
Source: SRCORE.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x195440
Source: TAPI32.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x19f097
Source: MFC42u.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x19d221

Binary contains a suspicious time stamp

Source: rstrui.exe.9.dr

Static PE information: 0x8C9CC4A4 [Mon Oct 3 05:09:56 2044 UTC]

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zOAoLK\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\yeShxe\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\UIPe\SRCORE.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\c5BVxaoEy\dialer.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\lFQXVd7\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\c5BVxaoEy\TAPI32.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879BA9C IsIconic,IsZoomed,IsZoomed,GetWindowRect,EqualRect,CopyRect,GetWindowRect,EqualRect,CopyRect,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,	33_2_00007FF67879BA9C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FCBA0 IsIconic,ShowWindowAsync,GetLastActivePopup,IsWindow,GetWindowLongW,ShowWindow,SwitchToThisWindow,MessageBeep,	33_2_00007FF6787FCBA0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ECE0C IsIconic,ShowWindowAsync,SetWindowPos,AllowSetForegroundWindow,SetForegroundWindow,	33_2_00007FF6787ECE0C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C4D60 GetClientRect,SetWindowPos,IsIconic,ShowWindow,GetCurrentThreadId,DefWindowProcW,PostMessageW,DestroyWindow,DestroyWindow,GetFocus,IsWindow,SetFocus,?GetKeyFocusedElement@HWNDElement@DirectUI@@SAPEAVElement@2@XZ,SetFocus,PostQuitMessage,LoadIconW,SendMessageW,SetTimer,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,CheckMenuItem,GetCurrentThreadId,GetCurrentThreadId,ShowWindow,GetCurrentThreadId,GetTickCount64,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,KillTimer,GetCurrentThreadId,GetCurrentThreadId,OpenIcon,SetForegroundWindow,SetWindowPos,PostMessageW,PostMessageW,IsWindowEnabled,GetTickCount64,	33_2_00007FF6787C4D60
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67880CDB0 IsIconic,PostMessageW,	33_2_00007FF67880CDB0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879824C IsZoomed,IsIconic,GetWindowRect,GetWindowRect,	33_2_00007FF67879824C
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFAD40 SetForegroundWindow,IsIconic,#6632,	39_2_00007FF753EFAD40
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101CE48 IsIconic,GetWindowPlacement,GetLastError,	43_2_00007FF60101CE48
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601019A6C IsIconic,GetWindowPlacement,GetWindowRect,	43_2_00007FF601019A6C
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	43_2_00007FF60101CF28
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60109C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	43_2_00007FF60109C560
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010239A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	43_2_00007FF6010239A0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	43_2_00007FF60101F5A4
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601022884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	43_2_00007FF601022884
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010204F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	43_2_00007FF6010204F8
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601021B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	43_2_00007FF601021B44
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601022F5C IsWindowVisible,IsIconic,	43_2_00007FF601022F5C

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c5BVxaoEy\dialer.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c5BVxaoEy\TAPI32.dll			Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109DE58 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rdi], 02h and CTI: jne 00007FF70109DFA2h	27_2_00007FF70109DE58
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109BBCC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [r15+50h], 14h and CTI: jnc 00007FF70109BD17h	27_2_00007FF70109BBCC
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109BBCC GetSystemTimeAsFileTime followed by cmp: cmp ecx, 03h and CTI: jne 00007FF70109BD66h	27_2_00007FF70109BBCC

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_000000014005C340 GetSystemInfo,

3_2_000000014005C340

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005D290 FindFirstFileExW,		3_2_000000014005D290
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A5FEC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose,		27_2_00007FF7010A5FEC

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787A9374 GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,

33_2_00007FF6787A9374

Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: Taskmgr.exe	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: explorer.exe, 00000009.00000000.302216491.000000000F740000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr	Binary or memory string: CRUMHelper::SrumHelperCallbackImplCRUMHelper::CalcDiskPctHistAndAvgNetbase\diagnosis\pdui\atm\network.cppWdcNetworkMonitor::PerInstanceDataRetrieveWdcNetworkMonitor::GetAdapterInfoWdcNetworkMonitor::QueryMemWdcMemoryMonitor::UpdateVMQuerybase\diagnosis\pdui\atm\memory.cppWdcMemoryMonitor::InitializePCWQueryHyper-V Dynamic Memory Integration ServiceMicrosoft HvWdcErrorMessageGetProcessWaitChainAsyncPopulateWaitTreeOnPostGetWaitChainTreeView_GetCheckedProcessCountInitializeMRTResourceManagerbase\diagnosis\pdui\atm\mrtutils.cppresources.priMrtGetThreadPreferredUILanguageNameMrtCreateOverrideResourceContextMrtProcessMRTFilePathTmGetLocalizedLogoPathTmCombinePath@~
Source: explorer.exe, 00000009.00000000.298728516.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.278490906.00000000089F6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}dz
Source: explorer.exe, 00000009.00000000.235071296.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000009.00000000.249500361.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000009.00000000.235108827.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000009.00000000.302216491.000000000F740000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAJ
Source: explorer.exe, 00000009.00000000.278490906.00000000089F6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.*

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF678778ADC IsDebuggerPresent,

33_2_00007FF678778ADC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF67879A53C OutputDebugStringA,ActivateActCtx,GetLastError,

33_2_00007FF67879A53C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe

Code function: 39_2_00007FF753EF95B0 #337,memset,#1463,SetErrorMode,LoadLibraryW,GetProcAddress,SetErrorMode,

39_2_00007FF753EF95B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787B09C0 GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,

33_2_00007FF6787B09C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000140048AC0 LdrLoadDll,FindClose,

3_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010AFE80 SetUnhandledExceptionFilter,	27_2_00007FF7010AFE80
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010B0104 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FF7010B0104
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678775CC0 SetUnhandledExceptionFilter,	33_2_00007FF678775CC0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFF960 SetUnhandledExceptionFilter,	39_2_00007FF753EFF960
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFF570 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00007FF753EFF570
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601132264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_00007FF601132264

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: SRCORE.dll.9.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB70FD2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\regsvr32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\regsvr32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010AD5FC memset,ShellExecuteExW,GetLastError,CloseHandle,

27_2_00007FF7010AD5FC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010AA8E0 memset,memset,memset,memset,memset,memset,memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,

27_2_00007FF7010AA8E0

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF67879B4E0 AllocateAndInitializeSid,GetLastError,CheckTokenMembership,GetLastError,FreeSid,

33_2_00007FF67879B4E0

Source: explorer.exe, 00000009.00000000.307910218.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp, Taskmgr.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr	Binary or memory string: base\diagnosis\pdui\atm\tmutils.cppWdcInitializeCriticalSectionGetProcessAppContainerSidTmColumnHeaderbase\diagnosis\pdui\atm\colheader.cppResizerAtmColumnHeader::UpdateSysUtilizationColumnsHeatMapCumulativeTmGroupHeaderTmViewItemAtmViewItem::InitializeParentColumnViewExpandoImageWrapperTmFirstColumnAtmViewItem::InitializeChildColumnTmColStatusTextTmLeafIconTmViewRowAtmViewItem::UpdateChildRowViewExpandoButtonImageAtmViewItem::CreateChildViewItemFromDataTmViewItemSelectorTmColHeaderItemTmRowTextElementTmLegendElementTmAppViewItemTmAppChildViewItemTmUsersChildViewItemMicrosoft.MicrosoftEdge_8wekyb3d8bbweTmSpecialProcesses::InitProcessPathsbase\diagnosis\pdui\atm\applications.cppMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeSH.exeWindows.WARP.JITService.exeApp_MonitorWdcApplicationsMonitor::CreateEntryWdcApplicationsMonitor::UpdateInitializeWdcApplicationsMonitor::GetMemoryPercentageWdcApplicationsMonitor::ResolveImageFriendlyNameTabWindowClassWindows.UI.Core.CoreWindowMicrosoft EdgeWindows.WARP.JITServiceS-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1206159417-1570029349-2913729690-1184509225S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3513710562-3729412521-1863153555-1462103995S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1821068571-1793888307-623627345-1529106238S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3859068477-1314311106-1651661491-1685393560S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4043415302-551583165-304772019-4009825106S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1618978223-3991232872-53169767-3645722245S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4256926629-1688279915-2739229046-3928706915S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-2385269614-3243675-834220592-3047885450S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-355265979-2879959831-980936148-1241729999WdcApplicationsMonitor::_CalcProcessStatusAndResUsageWdcApplicationsMonitor::SetRUMInfoWdcApplicationsMonitor::UpdateWdcApplicationsMonitor::_UpdateSysTrayUtilizationWdcApplicationsMonitor::_AtmUpdateApplicationsChildrenWdcApplicationsMonitor::GetColumnTextWdcApplicationsMonitor::AtmUpdateChildrenWdcApplicationsMonitor::_TmGetResContentionColumnWdcApplicationsMonitor::_UpdateSystemUtilizationColumnsWdcApplicationsMonitor::_HandleRestartExplorerWdcApplicationsMonitor::_HandleEndTaskWdcApplicationsMonitor::_EndProcessAndFramesWdcApplicationsMonitor::AtmOnProcessCommandWdcApplicationsMonitor::_SetPropertiesForProcessWdcApplicationsMonitor::UpdateProcessntoskrnl.exeWdcApplicationsMonitor::EnsureRUMHelperbrowser_broker.exeWdcApplicationsMonitor::_UpdateAggregationPackageIdWdcApplicationsMonitor::_UpdateAggregatableProcessWdcApplic

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: GetLocaleInfoW,GetUserDefaultLCID,	27_2_00007FF7010AB4C0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: GetLocaleInfoEx,GetLastError,	27_2_00007FF7010AB364
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: memset,memset,GetLocaleInfoW,GetLastError,_wtoi,GetProcessHeap,HeapAlloc,GetCurrentThreadId,	33_2_00007FF6787A6EBC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,memset,GetKeyState,GetKeyState,GetKeyState,	33_2_00007FF67879AF2C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: GetThreadUILanguage,GetLocaleInfoW,	33_2_00007FF67879B2D4
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,	39_2_00007FF753EFBB04
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: GetLocaleInfoW,	39_2_00007FF753EE5218

Queries the installation date of Windows

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010B0020 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

27_2_00007FF7010B0020

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010AD808 memset,memset,GetTimeZoneInformation,GetTimeFormatW,

27_2_00007FF7010AD808

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787FFF30 GetVersionExW,#618,

33_2_00007FF6787FFF30

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CFD10 ?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,?SetAccDesc@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetID@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,	33_2_00007FF6787CFD10
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787F3C44 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetLayoutPos@Element@DirectUI@@QEAAHXZ,?SetContentString@Element@DirectUI@@QEAAJPEBG@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?GetLayoutPos@Element@DirectUI@@QEAAHXZ,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?SetWidth@Element@DirectUI@@QEAAJH@Z,	33_2_00007FF6787F3C44
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C719C StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,?Destroy@Element@DirectUI@@QEAAJ_N@Z,	33_2_00007FF6787C719C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A9630 PathIsNetworkPathW,SHParseDisplayName,SHBindToParent,StrRetToBufW,ILFree,	33_2_00007FF6787A9630
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787F46E0 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetParent@Element@DirectUI@@QEAAPEAV12@XZ,?GetParent@Element@DirectUI@@QEAAPEAV12@XZ,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?GetBorderThickness@Element@DirectUI@@QEAAPEBUtagRECT@@PEAPEAVValue@2@@Z,?Release@Value@DirectUI@@QEAAXXZ,	33_2_00007FF6787F46E0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.184.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
142.250.203.102	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
172.67.70.134	btloader.com	United States	13335	CLOUDFLARENETUS	false
172.67.69.19	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
87.248.118.23	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
contextual.media.net	2.18.160.23	true
dart.l.doubleclick.net	142.250.203.102	true
tls13.taboola.map.fastly.net	151.101.1.44	true
hblg.media.net	2.18.160.23	true
lg3.media.net	2.18.160.23	true
btloader.com	172.67.70.134	true
geolocation.onetrust.com	104.20.184.68	true
edge.gycpi.b.yahoodns.net	87.248.118.23	true
ad-delivery.net	172.67.69.19	true
www.msn.com	unknown	unknown
ad.doubleclick.net	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
s.yimg.com	unknown	unknown
web.vortex.data.msn.com	unknown	unknown
cvision.media.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5ac3b539d1cfda83dbe324033737805f.jpg	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_737%2Cy_504/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe17134d780918219c201cb1db8da2d3f.jpeg	false	Avira URL Cloud: safe	unknown
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_433%2Cy_315/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F560ad3dcc869b1dfc2bac1c99d35ac81.png	false	Avira URL Cloud: safe	unknown
https://ad-delivery.net/px.gif?ch=1&e=0.4888902266943189	false	Avira URL Cloud: safe	unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fb4d84d7a-e7a0-4e71-a4e1-288b18f4b1a1_166a74d60a77edc1b295914db4bc79ac.jpeg	false	Avira URL Cloud: safe	unknown
https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1599143076228-3140.jpg	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b4dbad0520957f16bd4e3f810f4c883.png	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg	false	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3FLps29lWm.dll	Virustotal: Detection: 71%	Perma Link
Source: 3FLps29lWm.dll	Metadefender: Detection: 62%	Perma Link
Source: 3FLps29lWm.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: 3FLps29lWm.dll

Avira: detected

Machine Learning detection for sample

Source: 3FLps29lWm.dll

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60108F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,		43_2_00007FF60108F8FC
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60108F52C CryptProtectData,LocalAlloc,LocalFree,		43_2_00007FF60108F52C

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49817 version: TLS 1.2

Source: 3FLps29lWm.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdbUGP source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: dialer.pdbGCTL source: dialer.exe.9.dr
Source:	Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdb source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: rstrui.pdbGCTL source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: rstrui.pdb source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr
Source:	Binary string: dialer.pdb source: dialer.exe.9.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787B1570 EnterCriticalSection,UnregisterDeviceNotification,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SysFreeString,GetProcessHeap,HeapFree,

33_2_00007FF6787B1570

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005D290 FindFirstFileExW,		3_2_000000014005D290
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A5FEC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose,		27_2_00007FF7010A5FEC

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787A9374 GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,

33_2_00007FF6787A9374

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443

Source: de-ch[1].htm.8.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.262491511.000000000F788000.00000004.00000001.sdmp	String found in binary or memory: :2021091520210916: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1606e68c,0x01d7aa75</date><accdate>0x1606e68c,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1606e68c,0x01d7aa75</date><accdate>0x1606e68c,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.8.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.8.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.8.dr	String found in binary or memory: http://popup.taboola.com/german
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.8.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: auction[1].htm.8.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=21x0e_sGIS.ilIXooL5YSf3vyStZlGxuE54fPm01Hak3octV
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.8.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562&epi=de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.8.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=omzXyQIGIS9RP7Ab2JdB6y2LE1eAUMyavr58923CVFzR
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1631707355&rver=7.0.6730.0&am
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1631707356&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1631707355&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://marketing.outbrain.com/network/redir?p=v32QGHAgJSsc5iQUmc_8pzjvwpvCgGeqUtF8mqZlq22g-2MjMNlW2
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.8.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[1].htm.8.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.8.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=a4ddd93dd52947cd82240d0d2c0c03b6&r=infopane&i=1&
Source: imagestore.dat.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOrf3O.img?h=368&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: explorer.exe, 00000009.00000000.262491511.000000000F788000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: ~DF98125A3D199168E4.TMP.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpu
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/angst-vor-einer-gleisw%c3%bcste-der-kanton-und-die
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/bis-zu-2000-kiffer-k%c3%b6nnen-sich-in-z%c3%bcrich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/autofahrer-20-kommt-von-strasse-ab-und-prallt-gegen-baum/ar-AAO
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bundesgericht-will-brian-nicht-aus-der-einzelhaft-entlassen/ar-
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-greift-bei-impftram-einweihung-security-an-und-wird-festge
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/patrick-aebischer-ist-als-ehemaliger-pr%c3%a4sident-der-eth-lau
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/rega-bringt-schwer-verletzten-t%c3%b6fffahrer-ins-spital/ar-AAO
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/unglaublich-erleichtert-bev%c3%b6lkerung-wehrt-sich-erfolgreich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-apothekerinnen-werden-von-testwilligen-%c3%bcberra
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-d%c3%bcrfen-f%c3%bcr-die-wissenschaft-bald-legal-k
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/nadel-banane-trick/?utm_campaign=DECH-bananatrick&utm_so

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.4888902266943189 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1599143076228-3140.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fb4d84d7a-e7a0-4e71-a4e1-288b18f4b1a1_166a74d60a77edc1b295914db4bc79ac.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_433%2Cy_315/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F560ad3dcc869b1dfc2bac1c99d35ac81.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b4dbad0520957f16bd4e3f810f4c883.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_737%2Cy_504/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe17134d780918219c201cb1db8da2d3f.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5ac3b539d1cfda83dbe324033737805f.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49817 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A3C00 memset,memset,memset,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SetFocus,?GetDisplayNode@Element@DirectUI@@QEAAPEAUHGADGET__@@XZ,ForwardGadgetMessage,	33_2_00007FF6787A3C00
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879AF2C GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,memset,GetKeyState,GetKeyState,GetKeyState,	33_2_00007FF67879AF2C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879B6D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,RegGetValueW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetCurrentThreadId,GetCurrentThreadId,RegGetValueW,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,	33_2_00007FF67879B6D0

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

33_2_00007FF6787C9BE0

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0000002B.00000002.479085760.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.235930456.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.448796911.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.246415321.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.228897543.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.270992989.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.259705303.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365201686.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.263971738.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.225554693.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338160858.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.404405311.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF701091D40 NtShutdownSystem,InitiateShutdownW,

27_2_00007FF701091D40

Detected potential crypto function

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140034870	3_2_0000000140034870
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003B220	3_2_000000014003B220
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140035270	3_2_0000000140035270
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140048AC0	3_2_0000000140048AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003A2E0	3_2_000000014003A2E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005C340	3_2_000000014005C340
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140065B80	3_2_0000000140065B80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006A4B0	3_2_000000014006A4B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400524B0	3_2_00000001400524B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140026CC0	3_2_0000000140026CC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004BD40	3_2_000000014004BD40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400495B0	3_2_00000001400495B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140036F30	3_2_0000000140036F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140069010	3_2_0000000140069010
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140001010	3_2_0000000140001010
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140066020	3_2_0000000140066020
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002F840	3_2_000000014002F840
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005D850	3_2_000000014005D850
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140064080	3_2_0000000140064080
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140010880	3_2_0000000140010880
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400688A0	3_2_00000001400688A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002D0D0	3_2_000000014002D0D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400018D0	3_2_00000001400018D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140016100	3_2_0000000140016100
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014001D100	3_2_000000014001D100
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002A110	3_2_000000014002A110
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014001D910	3_2_000000014001D910
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140015120	3_2_0000000140015120
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000B120	3_2_000000014000B120
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004F940	3_2_000000014004F940
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140039140	3_2_0000000140039140
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140023140	3_2_0000000140023140
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140057950	3_2_0000000140057950
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014001E170	3_2_000000014001E170
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140002980	3_2_0000000140002980
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400611A0	3_2_00000001400611A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400389A0	3_2_00000001400389A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400381A0	3_2_00000001400381A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002E1B0	3_2_000000014002E1B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014007C9D0	3_2_000000014007C9D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400139D0	3_2_00000001400139D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400319F0	3_2_00000001400319F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002EA00	3_2_000000014002EA00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022A00	3_2_0000000140022A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140067A40	3_2_0000000140067A40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140069A50	3_2_0000000140069A50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140007A60	3_2_0000000140007A60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003AAC0	3_2_000000014003AAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140062B00	3_2_0000000140062B00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140018300	3_2_0000000140018300
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002FB20	3_2_000000014002FB20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140031340	3_2_0000000140031340
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022340	3_2_0000000140022340
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140017B40	3_2_0000000140017B40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000BB40	3_2_000000014000BB40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140079360	3_2_0000000140079360
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004EB60	3_2_000000014004EB60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140005370	3_2_0000000140005370
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002CB80	3_2_000000014002CB80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B390	3_2_000000014006B390
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140054BA0	3_2_0000000140054BA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140033BB0	3_2_0000000140033BB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400263C0	3_2_00000001400263C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400123C0	3_2_00000001400123C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140063BD0	3_2_0000000140063BD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400663F0	3_2_00000001400663F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140023BF0	3_2_0000000140023BF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B41B	3_2_000000014006B41B
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B424	3_2_000000014006B424
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B42D	3_2_000000014006B42D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B436	3_2_000000014006B436
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B43D	3_2_000000014006B43D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140024440	3_2_0000000140024440
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140005C40	3_2_0000000140005C40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006B446	3_2_000000014006B446
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005F490	3_2_000000014005F490
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022D00	3_2_0000000140022D00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140035520	3_2_0000000140035520
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140019D20	3_2_0000000140019D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140030530	3_2_0000000140030530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140023530	3_2_0000000140023530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140078D3F	3_2_0000000140078D3F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140031540	3_2_0000000140031540
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140033540	3_2_0000000140033540
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014007BD50	3_2_000000014007BD50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140078570	3_2_0000000140078570
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140019580	3_2_0000000140019580
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400205A0	3_2_00000001400205A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140025DB0	3_2_0000000140025DB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140071DC0	3_2_0000000140071DC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000C5C0	3_2_000000014000C5C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002DDE0	3_2_000000014002DDE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014007D5F0	3_2_000000014007D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140031DF0	3_2_0000000140031DF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014000DDF0	3_2_000000014000DDF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140001620	3_2_0000000140001620
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140018630	3_2_0000000140018630
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140032650	3_2_0000000140032650
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140050E60	3_2_0000000140050E60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140064E80	3_2_0000000140064E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140016E80	3_2_0000000140016E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140079681	3_2_0000000140079681
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140007EA0	3_2_0000000140007EA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400286B0	3_2_00000001400286B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140006EB0	3_2_0000000140006EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400276C0	3_2_00000001400276C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002FEC0	3_2_000000014002FEC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140078EBB	3_2_0000000140078EBB
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002EED0	3_2_000000014002EED0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014002B6E0	3_2_000000014002B6E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140053F20	3_2_0000000140053F20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140022730	3_2_0000000140022730
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140029780	3_2_0000000140029780
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140018F80	3_2_0000000140018F80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003EFB0	3_2_000000014003EFB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400067B0	3_2_00000001400067B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001400667D0	3_2_00000001400667D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140060FE0	3_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109AC30	27_2_00007FF70109AC30
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A361C	27_2_00007FF7010A361C
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A326C	27_2_00007FF7010A326C
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109DE58	27_2_00007FF70109DE58
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109FEA0	27_2_00007FF70109FEA0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109DAE0	27_2_00007FF70109DAE0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010AA8E0	27_2_00007FF7010AA8E0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109FAE4	27_2_00007FF70109FAE4
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701099CF8	27_2_00007FF701099CF8
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A1F24	27_2_00007FF7010A1F24
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701094D5C	27_2_00007FF701094D5C
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010AE3C4	27_2_00007FF7010AE3C4
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701098BEC	27_2_00007FF701098BEC
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010951DC	27_2_00007FF7010951DC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678785A2C	33_2_00007FF678785A2C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877B968	33_2_00007FF67877B968
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877CA98	33_2_00007FF67877CA98
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787D5AAC	33_2_00007FF6787D5AAC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B9BD0	33_2_00007FF6787B9BD0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A5BD0	33_2_00007FF6787A5BD0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A3C00	33_2_00007FF6787A3C00
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877DB78	33_2_00007FF67877DB78
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A1B90	33_2_00007FF6787A1B90
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEBA4	33_2_00007FF6787CEBA4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678772CF0	33_2_00007FF678772CF0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678791D00	33_2_00007FF678791D00
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AFCFC	33_2_00007FF6787AFCFC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787D7CF8	33_2_00007FF6787D7CF8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CFD10	33_2_00007FF6787CFD10
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877DDB8	33_2_00007FF67877DDB8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879CE20	33_2_00007FF67879CE20
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C8D4C	33_2_00007FF6787C8D4C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C4D60	33_2_00007FF6787C4D60
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ACEE8	33_2_00007FF6787ACEE8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678777EFC	33_2_00007FF678777EFC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879FF10	33_2_00007FF67879FF10
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678802F18	33_2_00007FF678802F18
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AAE90	33_2_00007FF6787AAE90
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C5E98	33_2_00007FF6787C5E98
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEFB4	33_2_00007FF6787CEFB4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A10C0	33_2_00007FF6787A10C0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A30C4	33_2_00007FF6787A30C4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67880B108	33_2_00007FF67880B108
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787F0114	33_2_00007FF6787F0114
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877E038	33_2_00007FF67877E038
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AF088	33_2_00007FF6787AF088
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AC1D0	33_2_00007FF6787AC1D0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6788011E0	33_2_00007FF6788011E0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A6218	33_2_00007FF6787A6218
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787BC188	33_2_00007FF6787BC188
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C32E0	33_2_00007FF6787C32E0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787802EC	33_2_00007FF6787802EC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787D3310	33_2_00007FF6787D3310
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B3330	33_2_00007FF6787B3330
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A83D0	33_2_00007FF6787A83D0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FD3D0	33_2_00007FF6787FD3D0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678772420	33_2_00007FF678772420
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678803358	33_2_00007FF678803358
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B4380	33_2_00007FF6787B4380
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A2510	33_2_00007FF6787A2510
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787E952C	33_2_00007FF6787E952C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787DD484	33_2_00007FF6787DD484
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B6478	33_2_00007FF6787B6478
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C04A4	33_2_00007FF6787C04A4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FF4B0	33_2_00007FF6787FF4B0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879E604	33_2_00007FF67879E604
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C15FC	33_2_00007FF6787C15FC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE61C	33_2_00007FF6787AE61C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B4630	33_2_00007FF6787B4630
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C7540	33_2_00007FF6787C7540
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879D544	33_2_00007FF67879D544
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787EA550	33_2_00007FF6787EA550
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CF570	33_2_00007FF6787CF570
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CB704	33_2_00007FF6787CB704
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877C714	33_2_00007FF67877C714
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678792660	33_2_00007FF678792660
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF2CD8	39_2_00007FF753EF2CD8
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE2400	39_2_00007FF753EE2400
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE2BD0	39_2_00007FF753EE2BD0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF53BC	39_2_00007FF753EF53BC
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EEFB90	39_2_00007FF753EEFB90
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFA35C	39_2_00007FF753EFA35C
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF3348	39_2_00007FF753EF3348
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE8B30	39_2_00007FF753EE8B30
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF8320	39_2_00007FF753EF8320
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF8AC0	39_2_00007FF753EF8AC0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFC8A0	39_2_00007FF753EFC8A0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF47B0	39_2_00007FF753EF47B0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF0FA0	39_2_00007FF753EF0FA0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EEAF54	39_2_00007FF753EEAF54
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EEBF00	39_2_00007FF753EEBF00
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE5E54	39_2_00007FF753EE5E54
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EF5E50	39_2_00007FF753EF5E50
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EE4E3C	39_2_00007FF753EE4E3C
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EECDB0	39_2_00007FF753EECDB0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010A1690	43_2_00007FF6010A1690
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101DA8C	43_2_00007FF60101DA8C
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60102EAB4	43_2_00007FF60102EAB4
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601014EC4	43_2_00007FF601014EC4
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010312E0	43_2_00007FF6010312E0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601054320	43_2_00007FF601054320
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010239A0	43_2_00007FF6010239A0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010235EC	43_2_00007FF6010235EC
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601028DF0	43_2_00007FF601028DF0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60102CE08	43_2_00007FF60102CE08
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60102A858	43_2_00007FF60102A858
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601028060	43_2_00007FF601028060
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010284C0	43_2_00007FF6010284C0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010264DC	43_2_00007FF6010264DC
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601016B94	43_2_00007FF601016B94
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010277C0	43_2_00007FF6010277C0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601015410	43_2_00007FF601015410

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: String function: 00007FF7010A5950 appears 60 times
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: String function: 00007FF678774DF0 appears 948 times
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: String function: 00007FF6787AF2F0 appears 31 times

Contains functionality to call native functions

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003BFF0 NtDuplicateObject,	3_2_000000014003BFF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003B220 NtReadVirtualMemory,RtlQueueApcWow64Thread,NtProtectVirtualMemory,RtlQueueApcWow64Thread,NtProtectVirtualMemory,NtProtectVirtualMemory,	3_2_000000014003B220
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140025280 NtDuplicateObject,	3_2_0000000140025280
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003A2E0 NtDuplicateObject,RtlQueueApcWow64Thread,	3_2_000000014003A2E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140025330 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	3_2_0000000140025330
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003BC10 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	3_2_000000014003BC10
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014004E440 NtDelayExecution,	3_2_000000014004E440
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140046C90 NtClose,	3_2_0000000140046C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014006A4B0 NtQuerySystemInformation,RtlAllocateHeap,	3_2_000000014006A4B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003C560 NtDuplicateObject,NtClose,	3_2_000000014003C560
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000140039F50 NtReadVirtualMemory,	3_2_0000000140039F50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014003BF70 NtDuplicateObject,NtClose,	3_2_000000014003BF70
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF701091D40 NtShutdownSystem,InitiateShutdownW,	27_2_00007FF701091D40
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE9C8 ZwQueryWnfStateData,	33_2_00007FF6787AE9C8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ABAC4 GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,NtQueryInformationProcess,GetProcessHeap,HeapFree,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787ABAC4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B9AC4 NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,	33_2_00007FF6787B9AC4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CCA70 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetDurationFormatEx,GetLastError,GetCurrentThreadId,	33_2_00007FF6787CCA70
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678810BDC NtOpenFile,RtlNtStatusToDosError,SetLastError,	33_2_00007FF678810BDC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AAC20 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787AAC20
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ADB48 memset,GetCurrentThreadId,NtSetInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787ADB48
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67878FB5C NtQueryInformationProcess,RtlNtStatusToDosError,	33_2_00007FF67878FB5C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEBA4 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,	33_2_00007FF6787CEBA4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CCCBC memset,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787CCCBC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A9D1C NtQuerySystemInformation,RtlNtStatusToDosError,	33_2_00007FF6787A9D1C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67878CC7C memset,GetCurrentThreadId,EtwCheckCoverage,EtwCheckCoverage,EtwCheckCoverage,NtSetInformationProcess,GetCurrentThreadId,NtQueryInformationProcess,RtlNtStatusToDosError,RtlNtStatusToDosError,GetCurrentThreadId,CloseHandle,	33_2_00007FF67878CC7C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A9DE0 NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,ReadProcessMemory,GetLastError,GetCurrentThreadId,ReadProcessMemory,GetLastError,GetCurrentThreadId,ReadProcessMemory,GetLastError,GetCurrentThreadId,	33_2_00007FF6787A9DE0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FDF04 DuplicateHandle,GetLastError,GetCurrentThreadId,NtQueryObject,RtlNtStatusToDosError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,CloseHandle,	33_2_00007FF6787FDF04
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C5E98 EtwCheckCoverage,NtSetInformationProcess,HeapSetInformation,CommandLineToArgvW,OpenEventW,SetEvent,CloseHandle,SetProcessShutdownParameters,RegisterApplicationRestart,InitProcessPriv,GetCurrentThreadId,InitThread,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,LoadAcceleratorsW,ReleaseMutex,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree,UnInitThread,UnInitProcessPriv,FreeLibrary,	33_2_00007FF6787C5E98
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ABFB0 PcwCreateQuery,GetCurrentThreadId,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetCurrentThreadId,NtQueryTimerResolution,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787ABFB0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CEFB4 GetCurrentThreadId,memset,NtQuerySystemInformation,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,	33_2_00007FF6787CEFB4
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B9118 NtQuerySystemInformation,	33_2_00007FF6787B9118
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67877B1DC NtPowerInformation,RtlNtStatusToDosError,	33_2_00007FF67877B1DC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879B1E8 NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF67879B1E8
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE234 GetCurrentThreadId,NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787AE234
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6788102EC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,	33_2_00007FF6788102EC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787802EC GetLogicalProcessorInformationEx,GetLastError,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLogicalProcessorInformationEx,GetLastError,GetCurrentThreadId,RtlNumberOfSetBitsUlongPtr,GetCurrentThreadId,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetProcessHeap,HeapFree,	33_2_00007FF6787802EC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AE334 GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787AE334
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FE27C DuplicateHandle,GetLastError,NtQueryInformationFile,RtlNtStatusToDosError,GetFileType,CloseHandle,	33_2_00007FF6787FE27C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787AA46C GetLogicalProcessorInformationEx,GetProcessHeap,HeapAlloc,memset,NtPowerInformation,RtlNtStatusToDosError,GetProcessHeap,HeapFree,GetCurrentThreadId,GetProcessHeap,HeapFree,GetCurrentThreadId,	33_2_00007FF6787AA46C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787B6478 PcwCreateQuery,GetCurrentThreadId,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,PcwCreateQuery,GetCurrentThreadId,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,NtQueryTimerResolution,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787B6478
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787905BC memset,NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId,	33_2_00007FF6787905BC

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010ACA2C: CreateFileW,DeviceIoControl,CloseHandle,CoCreateInstance,CloseHandle,

27_2_00007FF7010ACA2C

Sample file is different than original file name gathered from version info

Source: 3FLps29lWm.dll

Binary or memory string: OriginalFilenamekbdyj% vs 3FLps29lWm.dll

PE file contains strange resources

Source: rstrui.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rstrui.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rstrui.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Taskmgr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dialer.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE file contains more sections than normal

Source: DUI70.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: 3FLps29lWm.dll	Static PE information: Number of sections : 47 > 10
Source: WINMM.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: SRCORE.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: TAPI32.dll.9.dr	Static PE information: Number of sections : 48 > 10
Source: MFC42u.dll.9.dr	Static PE information: Number of sections : 48 > 10

Source: 3FLps29lWm.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SRCORE.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3FLps29lWm.dll	Virustotal: Detection: 71%
Source: 3FLps29lWm.dll	Metadefender: Detection: 62%
Source: 3FLps29lWm.dll	ReversingLabs: Detection: 75%

Source: 3FLps29lWm.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\3FLps29lWm.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedAnimation
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6448 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedPaint
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginPanningFeedback
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintClear
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintInit
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintRenderAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintSetAlpha
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rstrui.exe C:\Windows\system32\rstrui.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\UIPe\rstrui.exe C:\Users\user\AppData\Local\UIPe\rstrui.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Taskmgr.exe C:\Windows\system32\Taskmgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\yeShxe\mstsc.exe C:\Users\user\AppData\Local\yeShxe\mstsc.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedPaint	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginPanningFeedback	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintClear	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintInit	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintRenderAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintSetAlpha	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6448 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rstrui.exe C:\Windows\system32\rstrui.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\UIPe\rstrui.exe C:\Users\user\AppData\Local\UIPe\rstrui.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Taskmgr.exe C:\Windows\system32\Taskmgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\yeShxe\mstsc.exe C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A7798 LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,		27_2_00007FF7010A7798
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879E0A4 GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentThreadId,AdjustTokenPrivileges,GetLastError,GetCurrentThreadId,CloseHandle,GetProcessHeap,HeapFree,		33_2_00007FF67879E0A4

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3E5B0442C91F7FC3.TMP

Jump to behavior

Source: Taskmgr.exe.9.dr	Binary string: Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\device\mup\WdcAppHistoryMonitor::GetColumnTexth:mm:ssWdcAppHistoryMonitor::UpdateInitializeAppHistoryMessageWindowWdcAppHistoryMonitor::_ReconcileImmersiveApplicationWdcAppHistoryMonitor::_ReconcileSingleAppPackageWdcAppHistoryMonitor::_ReconcileMultiAppPackageWdcAppHistoryMonitor::_GetPackageIconPathAppXManifest.xmlLogoWdcAppHistoryMonitor::_GetIconAndBackgroundColorForApplicationWdcAppHistoryMonitor::_CreateAppHistoryEntryWdcAppHistoryMonitor::_CreateApplicationEntryWdcAppHistoryMonitor::_CreateAndInitIconItemWdcAppHistoryMonitor::_SetIconWdcAppHistoryMonitor::_SetStackedIconWdcAppHistoryMonitor::_GetDwmDosPath%s%s\dwm.exeWdcAppHistoryMonitor::_AddDesktopItemEntry%windir%\system32\svchost.exeWdcAppHistoryMonitor::_AddAppMappingKeyByKeyWdcAppHistoryMonitor::_MapAndGetPackageNameKeyWdcAppHistoryMonitor::_MapAndGetSpecialItemEntrySystem\System interruptssvchost.exe [Uninstalled AppsRemote running AppsWdcAppHistoryMonitor::_MapAndGetDesktopItemEntryWdcAppHistoryMonitor::_CheckAndProcessShortExePathsWdcAppHistoryMonitor::_AddAppMappingKeyWdcAppHistoryMonitor::_RemoveAppMappingKeyByPrimarykeyWdcAppHistoryMonitor::_IsImmersiveApplicationInstallDateSoftware\Microsoft\Windows NT\CurrentVersionLastUpdateTextWdcAppHistoryMonitor::_RefreshLastUpdatedTextWdcAppHistoryMonitor::_RetireOldUsageDataWdcAppHistoryMonitor::_RegisterForSrumDataWdcAppHistoryMonitor::_ProcessNetworkSrumRecordWdcAppHistoryMonitor::_UpdateServiceMappingWdcAppHistoryMonitor::_GetServiceExePathWdcAppHistoryMonitor::_InitializeDataSourcesWdcAppHistoryMonitor::_ProcessCpuSrumRecordWdcAppHistoryMonitor::_ProcessNotificationsSrumRecordAppHistoryStringCache::InitializeAppHistoryStringCache::AddI
Source: Taskmgr.exe.9.dr	Binary string: tX~QDUI_GetElementScreenBoundsbase\diagnosis\pdui\atm\utils.cppTmFormatMessageDUI_GetElementBoundsIPropertyStore_GetStringIPropertyStore_GetBSTRIPropertyStore_GetUInt32Software\Microsoft\Windows\CurrentVersion\StartupNotifyResetNotificationEnableStartupAppNotificationCAdapter::IncreaseArraySizeCAdapter::InitCOMCAdapter::RefreshAdapterTableCAdapter::GetAdapterListCAdapter::GetAdapterInfoCAdapter::InitializeAdapter\Device\%sCAdapter::GetNetworkStatusCAdapter::NormalizeValueCAdapter::SetNetworkProperties- %sCAdapter::WifiSetPropertiesSoftware\Microsoft\Windows\CurrentVersion\Control Panel\Settings\NetworkWiFiToWlanCAdapter::WWanSetPropertiesCAdapter::WwanUpdatePropertiesCAdapter::IsDomainAuthenticatedCAdapter::BluetoothSetPropertiesCAdapter::EthernetSetPropertiesCAdapter::GetNetworkTitleNetCfgInstanceIdCharacteristics

Source: classification engine

Classification label: mal100.troj.evad.winDLL@43/102@13/6

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010ACA2C CreateFileW,DeviceIoControl,CloseHandle,CoCreateInstance,CloseHandle,

27_2_00007FF7010ACA2C

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787D7A00 FormatMessageW,GetLastError,

33_2_00007FF6787D7A00

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_000000014003C240 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

3_2_000000014003C240

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1

Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0331cfef-83a8-ddec-d68b-60fc492028d0}
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{897aaf70-ec98-d9a5-5c72-a2485b288656}

Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe

Code function: 43_2_00007FF601014EC4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,free,free,

43_2_00007FF601014EC4

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 3FLps29lWm.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 3FLps29lWm.dll

Static file information: File size 1646592 > 1048576

Source: 3FLps29lWm.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdbUGP source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: dialer.pdbGCTL source: dialer.exe.9.dr
Source:	Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
Source:	Binary string: Taskmgr.pdb source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
Source:	Binary string: rstrui.pdbGCTL source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: rstrui.pdb source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr
Source:	Binary string: dialer.pdb source: dialer.exe.9.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000140056A4D push rdi; ret

3_2_0000000140056A4E

PE file contains sections with non-standard names

Source: 3FLps29lWm.dll	Static PE information: section name: .qkm
Source: 3FLps29lWm.dll	Static PE information: section name: .cvjb
Source: 3FLps29lWm.dll	Static PE information: section name: .tlmkv
Source: 3FLps29lWm.dll	Static PE information: section name: .wucsxe
Source: 3FLps29lWm.dll	Static PE information: section name: .fltwtj
Source: 3FLps29lWm.dll	Static PE information: section name: .sfplio
Source: 3FLps29lWm.dll	Static PE information: section name: .rpg
Source: 3FLps29lWm.dll	Static PE information: section name: .bewzc
Source: 3FLps29lWm.dll	Static PE information: section name: .vksvaw
Source: 3FLps29lWm.dll	Static PE information: section name: .wmhg
Source: 3FLps29lWm.dll	Static PE information: section name: .kswemc
Source: 3FLps29lWm.dll	Static PE information: section name: .kaxfk
Source: 3FLps29lWm.dll	Static PE information: section name: .pjf
Source: 3FLps29lWm.dll	Static PE information: section name: .retjqj
Source: 3FLps29lWm.dll	Static PE information: section name: .mizn
Source: 3FLps29lWm.dll	Static PE information: section name: .rsrub
Source: 3FLps29lWm.dll	Static PE information: section name: .susbqq
Source: 3FLps29lWm.dll	Static PE information: section name: .jeojcw
Source: 3FLps29lWm.dll	Static PE information: section name: .vwl
Source: 3FLps29lWm.dll	Static PE information: section name: .mub
Source: 3FLps29lWm.dll	Static PE information: section name: .xwxpmb
Source: 3FLps29lWm.dll	Static PE information: section name: .aea
Source: 3FLps29lWm.dll	Static PE information: section name: .lwpch
Source: 3FLps29lWm.dll	Static PE information: section name: .nzgp
Source: 3FLps29lWm.dll	Static PE information: section name: .qimx
Source: 3FLps29lWm.dll	Static PE information: section name: .tkvgvo
Source: 3FLps29lWm.dll	Static PE information: section name: .tgipu
Source: 3FLps29lWm.dll	Static PE information: section name: .uwr
Source: 3FLps29lWm.dll	Static PE information: section name: .agscf
Source: 3FLps29lWm.dll	Static PE information: section name: .idba
Source: 3FLps29lWm.dll	Static PE information: section name: .txn
Source: 3FLps29lWm.dll	Static PE information: section name: .amfg
Source: 3FLps29lWm.dll	Static PE information: section name: .fgnmv
Source: 3FLps29lWm.dll	Static PE information: section name: .iqmp
Source: 3FLps29lWm.dll	Static PE information: section name: .hkwa
Source: 3FLps29lWm.dll	Static PE information: section name: .imjyew
Source: 3FLps29lWm.dll	Static PE information: section name: .qlv
Source: 3FLps29lWm.dll	Static PE information: section name: .vofo
Source: 3FLps29lWm.dll	Static PE information: section name: .emh
Source: 3FLps29lWm.dll	Static PE information: section name: .boy
Source: 3FLps29lWm.dll	Static PE information: section name: .twwn
Source: Taskmgr.exe.9.dr	Static PE information: section name: .imrsiv
Source: Taskmgr.exe.9.dr	Static PE information: section name: .didat
Source: mstsc.exe.9.dr	Static PE information: section name: .didat
Source: SRCORE.dll.9.dr	Static PE information: section name: .qkm
Source: SRCORE.dll.9.dr	Static PE information: section name: .cvjb
Source: SRCORE.dll.9.dr	Static PE information: section name: .tlmkv
Source: SRCORE.dll.9.dr	Static PE information: section name: .wucsxe
Source: SRCORE.dll.9.dr	Static PE information: section name: .fltwtj
Source: SRCORE.dll.9.dr	Static PE information: section name: .sfplio
Source: SRCORE.dll.9.dr	Static PE information: section name: .rpg
Source: SRCORE.dll.9.dr	Static PE information: section name: .bewzc
Source: SRCORE.dll.9.dr	Static PE information: section name: .vksvaw
Source: SRCORE.dll.9.dr	Static PE information: section name: .wmhg
Source: SRCORE.dll.9.dr	Static PE information: section name: .kswemc
Source: SRCORE.dll.9.dr	Static PE information: section name: .kaxfk
Source: SRCORE.dll.9.dr	Static PE information: section name: .pjf
Source: SRCORE.dll.9.dr	Static PE information: section name: .retjqj
Source: SRCORE.dll.9.dr	Static PE information: section name: .mizn
Source: SRCORE.dll.9.dr	Static PE information: section name: .rsrub
Source: SRCORE.dll.9.dr	Static PE information: section name: .susbqq
Source: SRCORE.dll.9.dr	Static PE information: section name: .jeojcw
Source: SRCORE.dll.9.dr	Static PE information: section name: .vwl
Source: SRCORE.dll.9.dr	Static PE information: section name: .mub
Source: SRCORE.dll.9.dr	Static PE information: section name: .xwxpmb
Source: SRCORE.dll.9.dr	Static PE information: section name: .aea
Source: SRCORE.dll.9.dr	Static PE information: section name: .lwpch
Source: SRCORE.dll.9.dr	Static PE information: section name: .nzgp
Source: SRCORE.dll.9.dr	Static PE information: section name: .qimx
Source: SRCORE.dll.9.dr	Static PE information: section name: .tkvgvo
Source: SRCORE.dll.9.dr	Static PE information: section name: .tgipu
Source: SRCORE.dll.9.dr	Static PE information: section name: .uwr
Source: SRCORE.dll.9.dr	Static PE information: section name: .agscf
Source: SRCORE.dll.9.dr	Static PE information: section name: .idba
Source: SRCORE.dll.9.dr	Static PE information: section name: .txn
Source: SRCORE.dll.9.dr	Static PE information: section name: .amfg
Source: SRCORE.dll.9.dr	Static PE information: section name: .fgnmv
Source: SRCORE.dll.9.dr	Static PE information: section name: .iqmp
Source: SRCORE.dll.9.dr	Static PE information: section name: .hkwa
Source: SRCORE.dll.9.dr	Static PE information: section name: .imjyew
Source: SRCORE.dll.9.dr	Static PE information: section name: .qlv
Source: SRCORE.dll.9.dr	Static PE information: section name: .vofo
Source: SRCORE.dll.9.dr	Static PE information: section name: .emh
Source: SRCORE.dll.9.dr	Static PE information: section name: .boy
Source: SRCORE.dll.9.dr	Static PE information: section name: .twwn
Source: SRCORE.dll.9.dr	Static PE information: section name: .bfj
Source: DUI70.dll.9.dr	Static PE information: section name: .qkm
Source: DUI70.dll.9.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.9.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.9.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.9.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.9.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.9.dr	Static PE information: section name: .rpg
Source: DUI70.dll.9.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.9.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.9.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.9.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.9.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.9.dr	Static PE information: section name: .pjf
Source: DUI70.dll.9.dr	Static PE information: section name: .retjqj
Source: DUI70.dll.9.dr	Static PE information: section name: .mizn
Source: DUI70.dll.9.dr	Static PE information: section name: .rsrub
Source: DUI70.dll.9.dr	Static PE information: section name: .susbqq
Source: DUI70.dll.9.dr	Static PE information: section name: .jeojcw
Source: DUI70.dll.9.dr	Static PE information: section name: .vwl
Source: DUI70.dll.9.dr	Static PE information: section name: .mub
Source: DUI70.dll.9.dr	Static PE information: section name: .xwxpmb
Source: DUI70.dll.9.dr	Static PE information: section name: .aea
Source: DUI70.dll.9.dr	Static PE information: section name: .lwpch
Source: DUI70.dll.9.dr	Static PE information: section name: .nzgp
Source: DUI70.dll.9.dr	Static PE information: section name: .qimx
Source: DUI70.dll.9.dr	Static PE information: section name: .tkvgvo
Source: DUI70.dll.9.dr	Static PE information: section name: .tgipu
Source: DUI70.dll.9.dr	Static PE information: section name: .uwr
Source: DUI70.dll.9.dr	Static PE information: section name: .agscf
Source: DUI70.dll.9.dr	Static PE information: section name: .idba
Source: DUI70.dll.9.dr	Static PE information: section name: .txn
Source: DUI70.dll.9.dr	Static PE information: section name: .amfg
Source: DUI70.dll.9.dr	Static PE information: section name: .fgnmv
Source: DUI70.dll.9.dr	Static PE information: section name: .iqmp
Source: DUI70.dll.9.dr	Static PE information: section name: .hkwa
Source: DUI70.dll.9.dr	Static PE information: section name: .imjyew
Source: DUI70.dll.9.dr	Static PE information: section name: .qlv
Source: DUI70.dll.9.dr	Static PE information: section name: .vofo
Source: DUI70.dll.9.dr	Static PE information: section name: .emh
Source: DUI70.dll.9.dr	Static PE information: section name: .boy
Source: DUI70.dll.9.dr	Static PE information: section name: .twwn
Source: DUI70.dll.9.dr	Static PE information: section name: .szc
Source: MFC42u.dll.9.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.9.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.9.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.9.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.9.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.9.dr	Static PE information: section name: .sfplio
Source: MFC42u.dll.9.dr	Static PE information: section name: .rpg
Source: MFC42u.dll.9.dr	Static PE information: section name: .bewzc
Source: MFC42u.dll.9.dr	Static PE information: section name: .vksvaw
Source: MFC42u.dll.9.dr	Static PE information: section name: .wmhg
Source: MFC42u.dll.9.dr	Static PE information: section name: .kswemc
Source: MFC42u.dll.9.dr	Static PE information: section name: .kaxfk
Source: MFC42u.dll.9.dr	Static PE information: section name: .pjf
Source: MFC42u.dll.9.dr	Static PE information: section name: .retjqj
Source: MFC42u.dll.9.dr	Static PE information: section name: .mizn
Source: MFC42u.dll.9.dr	Static PE information: section name: .rsrub
Source: MFC42u.dll.9.dr	Static PE information: section name: .susbqq
Source: MFC42u.dll.9.dr	Static PE information: section name: .jeojcw
Source: MFC42u.dll.9.dr	Static PE information: section name: .vwl
Source: MFC42u.dll.9.dr	Static PE information: section name: .mub
Source: MFC42u.dll.9.dr	Static PE information: section name: .xwxpmb
Source: MFC42u.dll.9.dr	Static PE information: section name: .aea
Source: MFC42u.dll.9.dr	Static PE information: section name: .lwpch
Source: MFC42u.dll.9.dr	Static PE information: section name: .nzgp
Source: MFC42u.dll.9.dr	Static PE information: section name: .qimx
Source: MFC42u.dll.9.dr	Static PE information: section name: .tkvgvo
Source: MFC42u.dll.9.dr	Static PE information: section name: .tgipu
Source: MFC42u.dll.9.dr	Static PE information: section name: .uwr
Source: MFC42u.dll.9.dr	Static PE information: section name: .agscf
Source: MFC42u.dll.9.dr	Static PE information: section name: .idba
Source: MFC42u.dll.9.dr	Static PE information: section name: .txn
Source: MFC42u.dll.9.dr	Static PE information: section name: .amfg
Source: MFC42u.dll.9.dr	Static PE information: section name: .fgnmv
Source: MFC42u.dll.9.dr	Static PE information: section name: .iqmp
Source: MFC42u.dll.9.dr	Static PE information: section name: .hkwa
Source: MFC42u.dll.9.dr	Static PE information: section name: .imjyew
Source: MFC42u.dll.9.dr	Static PE information: section name: .qlv
Source: MFC42u.dll.9.dr	Static PE information: section name: .vofo
Source: MFC42u.dll.9.dr	Static PE information: section name: .emh
Source: MFC42u.dll.9.dr	Static PE information: section name: .boy
Source: MFC42u.dll.9.dr	Static PE information: section name: .twwn
Source: MFC42u.dll.9.dr	Static PE information: section name: .atgtj
Source: WINMM.dll.9.dr	Static PE information: section name: .qkm
Source: WINMM.dll.9.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.9.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.9.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.9.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.9.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.9.dr	Static PE information: section name: .rpg
Source: WINMM.dll.9.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.9.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.9.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.9.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.9.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.9.dr	Static PE information: section name: .pjf
Source: WINMM.dll.9.dr	Static PE information: section name: .retjqj
Source: WINMM.dll.9.dr	Static PE information: section name: .mizn
Source: WINMM.dll.9.dr	Static PE information: section name: .rsrub
Source: WINMM.dll.9.dr	Static PE information: section name: .susbqq
Source: WINMM.dll.9.dr	Static PE information: section name: .jeojcw
Source: WINMM.dll.9.dr	Static PE information: section name: .vwl
Source: WINMM.dll.9.dr	Static PE information: section name: .mub
Source: WINMM.dll.9.dr	Static PE information: section name: .xwxpmb
Source: WINMM.dll.9.dr	Static PE information: section name: .aea
Source: WINMM.dll.9.dr	Static PE information: section name: .lwpch
Source: WINMM.dll.9.dr	Static PE information: section name: .nzgp
Source: WINMM.dll.9.dr	Static PE information: section name: .qimx
Source: WINMM.dll.9.dr	Static PE information: section name: .tkvgvo
Source: WINMM.dll.9.dr	Static PE information: section name: .tgipu
Source: WINMM.dll.9.dr	Static PE information: section name: .uwr
Source: WINMM.dll.9.dr	Static PE information: section name: .agscf
Source: WINMM.dll.9.dr	Static PE information: section name: .idba
Source: WINMM.dll.9.dr	Static PE information: section name: .txn
Source: WINMM.dll.9.dr	Static PE information: section name: .amfg
Source: WINMM.dll.9.dr	Static PE information: section name: .fgnmv
Source: WINMM.dll.9.dr	Static PE information: section name: .iqmp
Source: WINMM.dll.9.dr	Static PE information: section name: .hkwa
Source: WINMM.dll.9.dr	Static PE information: section name: .imjyew
Source: WINMM.dll.9.dr	Static PE information: section name: .qlv
Source: WINMM.dll.9.dr	Static PE information: section name: .vofo
Source: WINMM.dll.9.dr	Static PE information: section name: .emh
Source: WINMM.dll.9.dr	Static PE information: section name: .boy
Source: WINMM.dll.9.dr	Static PE information: section name: .twwn
Source: WINMM.dll.9.dr	Static PE information: section name: .ukfrns
Source: TAPI32.dll.9.dr	Static PE information: section name: .qkm
Source: TAPI32.dll.9.dr	Static PE information: section name: .cvjb
Source: TAPI32.dll.9.dr	Static PE information: section name: .tlmkv
Source: TAPI32.dll.9.dr	Static PE information: section name: .wucsxe
Source: TAPI32.dll.9.dr	Static PE information: section name: .fltwtj
Source: TAPI32.dll.9.dr	Static PE information: section name: .sfplio
Source: TAPI32.dll.9.dr	Static PE information: section name: .rpg
Source: TAPI32.dll.9.dr	Static PE information: section name: .bewzc
Source: TAPI32.dll.9.dr	Static PE information: section name: .vksvaw
Source: TAPI32.dll.9.dr	Static PE information: section name: .wmhg
Source: TAPI32.dll.9.dr	Static PE information: section name: .kswemc
Source: TAPI32.dll.9.dr	Static PE information: section name: .kaxfk
Source: TAPI32.dll.9.dr	Static PE information: section name: .pjf
Source: TAPI32.dll.9.dr	Static PE information: section name: .retjqj
Source: TAPI32.dll.9.dr	Static PE information: section name: .mizn
Source: TAPI32.dll.9.dr	Static PE information: section name: .rsrub
Source: TAPI32.dll.9.dr	Static PE information: section name: .susbqq
Source: TAPI32.dll.9.dr	Static PE information: section name: .jeojcw
Source: TAPI32.dll.9.dr	Static PE information: section name: .vwl
Source: TAPI32.dll.9.dr	Static PE information: section name: .mub
Source: TAPI32.dll.9.dr	Static PE information: section name: .xwxpmb
Source: TAPI32.dll.9.dr	Static PE information: section name: .aea
Source: TAPI32.dll.9.dr	Static PE information: section name: .lwpch
Source: TAPI32.dll.9.dr	Static PE information: section name: .nzgp
Source: TAPI32.dll.9.dr	Static PE information: section name: .qimx
Source: TAPI32.dll.9.dr	Static PE information: section name: .tkvgvo
Source: TAPI32.dll.9.dr	Static PE information: section name: .tgipu
Source: TAPI32.dll.9.dr	Static PE information: section name: .uwr
Source: TAPI32.dll.9.dr	Static PE information: section name: .agscf
Source: TAPI32.dll.9.dr	Static PE information: section name: .idba
Source: TAPI32.dll.9.dr	Static PE information: section name: .txn
Source: TAPI32.dll.9.dr	Static PE information: section name: .amfg
Source: TAPI32.dll.9.dr	Static PE information: section name: .fgnmv
Source: TAPI32.dll.9.dr	Static PE information: section name: .iqmp
Source: TAPI32.dll.9.dr	Static PE information: section name: .hkwa
Source: TAPI32.dll.9.dr	Static PE information: section name: .imjyew
Source: TAPI32.dll.9.dr	Static PE information: section name: .qlv
Source: TAPI32.dll.9.dr	Static PE information: section name: .vofo
Source: TAPI32.dll.9.dr	Static PE information: section name: .emh
Source: TAPI32.dll.9.dr	Static PE information: section name: .boy
Source: TAPI32.dll.9.dr	Static PE information: section name: .twwn
Source: TAPI32.dll.9.dr	Static PE information: section name: .tgm

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe

Code function: 39_2_00007FF753EF95B0 #337,memset,#1463,SetErrorMode,LoadLibraryW,GetProcAddress,SetErrorMode,

39_2_00007FF753EF95B0

PE file contains an invalid checksum

Source: DUI70.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1e1f15
Source: 3FLps29lWm.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1a0dca
Source: WINMM.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1956b4
Source: SRCORE.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x195440
Source: TAPI32.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x19f097
Source: MFC42u.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x19d221

Binary contains a suspicious time stamp

Source: rstrui.exe.9.dr

Static PE information: 0x8C9CC4A4 [Mon Oct 3 05:09:56 2044 UTC]

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zOAoLK\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\yeShxe\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\UIPe\SRCORE.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\c5BVxaoEy\dialer.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\lFQXVd7\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\c5BVxaoEy\TAPI32.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879BA9C IsIconic,IsZoomed,IsZoomed,GetWindowRect,EqualRect,CopyRect,GetWindowRect,EqualRect,CopyRect,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,	33_2_00007FF67879BA9C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787FCBA0 IsIconic,ShowWindowAsync,GetLastActivePopup,IsWindow,GetWindowLongW,ShowWindow,SwitchToThisWindow,MessageBeep,	33_2_00007FF6787FCBA0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787ECE0C IsIconic,ShowWindowAsync,SetWindowPos,AllowSetForegroundWindow,SetForegroundWindow,	33_2_00007FF6787ECE0C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C4D60 GetClientRect,SetWindowPos,IsIconic,ShowWindow,GetCurrentThreadId,DefWindowProcW,PostMessageW,DestroyWindow,DestroyWindow,GetFocus,IsWindow,SetFocus,?GetKeyFocusedElement@HWNDElement@DirectUI@@SAPEAVElement@2@XZ,SetFocus,PostQuitMessage,LoadIconW,SendMessageW,SetTimer,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,CheckMenuItem,GetCurrentThreadId,GetCurrentThreadId,ShowWindow,GetCurrentThreadId,GetTickCount64,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,KillTimer,GetCurrentThreadId,GetCurrentThreadId,OpenIcon,SetForegroundWindow,SetWindowPos,PostMessageW,PostMessageW,IsWindowEnabled,GetTickCount64,	33_2_00007FF6787C4D60
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67880CDB0 IsIconic,PostMessageW,	33_2_00007FF67880CDB0
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF67879824C IsZoomed,IsIconic,GetWindowRect,GetWindowRect,	33_2_00007FF67879824C
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFAD40 SetForegroundWindow,IsIconic,#6632,	39_2_00007FF753EFAD40
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101CE48 IsIconic,GetWindowPlacement,GetLastError,	43_2_00007FF60101CE48
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601019A6C IsIconic,GetWindowPlacement,GetWindowRect,	43_2_00007FF601019A6C
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	43_2_00007FF60101CF28
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60109C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	43_2_00007FF60109C560
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010239A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	43_2_00007FF6010239A0
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF60101F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	43_2_00007FF60101F5A4
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601022884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	43_2_00007FF601022884
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF6010204F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	43_2_00007FF6010204F8
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601021B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	43_2_00007FF601021B44
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601022F5C IsWindowVisible,IsIconic,	43_2_00007FF601022F5C

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c5BVxaoEy\dialer.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c5BVxaoEy\TAPI32.dll			Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109DE58 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rdi], 02h and CTI: jne 00007FF70109DFA2h	27_2_00007FF70109DE58
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109BBCC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [r15+50h], 14h and CTI: jnc 00007FF70109BD17h	27_2_00007FF70109BBCC
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF70109BBCC GetSystemTimeAsFileTime followed by cmp: cmp ecx, 03h and CTI: jne 00007FF70109BD66h	27_2_00007FF70109BBCC

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_000000014005C340 GetSystemInfo,

3_2_000000014005C340

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000014005D290 FindFirstFileExW,		3_2_000000014005D290
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010A5FEC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose,		27_2_00007FF7010A5FEC

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787A9374 GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,

33_2_00007FF6787A9374

Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: Taskmgr.exe	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: explorer.exe, 00000009.00000000.302216491.000000000F740000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr	Binary or memory string: CRUMHelper::SrumHelperCallbackImplCRUMHelper::CalcDiskPctHistAndAvgNetbase\diagnosis\pdui\atm\network.cppWdcNetworkMonitor::PerInstanceDataRetrieveWdcNetworkMonitor::GetAdapterInfoWdcNetworkMonitor::QueryMemWdcMemoryMonitor::UpdateVMQuerybase\diagnosis\pdui\atm\memory.cppWdcMemoryMonitor::InitializePCWQueryHyper-V Dynamic Memory Integration ServiceMicrosoft HvWdcErrorMessageGetProcessWaitChainAsyncPopulateWaitTreeOnPostGetWaitChainTreeView_GetCheckedProcessCountInitializeMRTResourceManagerbase\diagnosis\pdui\atm\mrtutils.cppresources.priMrtGetThreadPreferredUILanguageNameMrtCreateOverrideResourceContextMrtProcessMRTFilePathTmGetLocalizedLogoPathTmCombinePath@~
Source: explorer.exe, 00000009.00000000.298728516.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.278490906.00000000089F6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}dz
Source: explorer.exe, 00000009.00000000.235071296.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000009.00000000.249500361.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000009.00000000.235108827.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000009.00000000.302216491.000000000F740000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000009.00000000.277647315.000000000871F000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAJ
Source: explorer.exe, 00000009.00000000.278490906.00000000089F6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.*

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF678778ADC IsDebuggerPresent,

33_2_00007FF678778ADC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF67879A53C OutputDebugStringA,ActivateActCtx,GetLastError,

33_2_00007FF67879A53C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe

Code function: 39_2_00007FF753EF95B0 #337,memset,#1463,SetErrorMode,LoadLibraryW,GetProcAddress,SetErrorMode,

39_2_00007FF753EF95B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787B09C0 GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,

33_2_00007FF6787B09C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000140048AC0 LdrLoadDll,FindClose,

3_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010AFE80 SetUnhandledExceptionFilter,	27_2_00007FF7010AFE80
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: 27_2_00007FF7010B0104 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FF7010B0104
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF678775CC0 SetUnhandledExceptionFilter,	33_2_00007FF678775CC0
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFF960 SetUnhandledExceptionFilter,	39_2_00007FF753EFF960
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: 39_2_00007FF753EFF570 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00007FF753EFF570
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Code function: 43_2_00007FF601132264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_00007FF601132264

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: SRCORE.dll.9.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB70FD2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\regsvr32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\regsvr32.exe

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010AD5FC memset,ShellExecuteExW,GetLastError,CloseHandle,

27_2_00007FF7010AD5FC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

27_2_00007FF7010AA8E0

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF67879B4E0 AllocateAndInitializeSid,GetLastError,CheckTokenMembership,GetLastError,FreeSid,

33_2_00007FF67879B4E0

Source: explorer.exe, 00000009.00000000.307910218.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp, Taskmgr.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.287922674.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr	Binary or memory string: base\diagnosis\pdui\atm\tmutils.cppWdcInitializeCriticalSectionGetProcessAppContainerSidTmColumnHeaderbase\diagnosis\pdui\atm\colheader.cppResizerAtmColumnHeader::UpdateSysUtilizationColumnsHeatMapCumulativeTmGroupHeaderTmViewItemAtmViewItem::InitializeParentColumnViewExpandoImageWrapperTmFirstColumnAtmViewItem::InitializeChildColumnTmColStatusTextTmLeafIconTmViewRowAtmViewItem::UpdateChildRowViewExpandoButtonImageAtmViewItem::CreateChildViewItemFromDataTmViewItemSelectorTmColHeaderItemTmRowTextElementTmLegendElementTmAppViewItemTmAppChildViewItemTmUsersChildViewItemMicrosoft.MicrosoftEdge_8wekyb3d8bbweTmSpecialProcesses::InitProcessPathsbase\diagnosis\pdui\atm\applications.cppMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeSH.exeWindows.WARP.JITService.exeApp_MonitorWdcApplicationsMonitor::CreateEntryWdcApplicationsMonitor::UpdateInitializeWdcApplicationsMonitor::GetMemoryPercentageWdcApplicationsMonitor::ResolveImageFriendlyNameTabWindowClassWindows.UI.Core.CoreWindowMicrosoft EdgeWindows.WARP.JITServiceS-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1206159417-1570029349-2913729690-1184509225S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3513710562-3729412521-1863153555-1462103995S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1821068571-1793888307-623627345-1529106238S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3859068477-1314311106-1651661491-1685393560S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4043415302-551583165-304772019-4009825106S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1618978223-3991232872-53169767-3645722245S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4256926629-1688279915-2739229046-3928706915S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-2385269614-3243675-834220592-3047885450S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-355265979-2879959831-980936148-1241729999WdcApplicationsMonitor::_CalcProcessStatusAndResUsageWdcApplicationsMonitor::SetRUMInfoWdcApplicationsMonitor::UpdateWdcApplicationsMonitor::_UpdateSysTrayUtilizationWdcApplicationsMonitor::_AtmUpdateApplicationsChildrenWdcApplicationsMonitor::GetColumnTextWdcApplicationsMonitor::AtmUpdateChildrenWdcApplicationsMonitor::_TmGetResContentionColumnWdcApplicationsMonitor::_UpdateSystemUtilizationColumnsWdcApplicationsMonitor::_HandleRestartExplorerWdcApplicationsMonitor::_HandleEndTaskWdcApplicationsMonitor::_EndProcessAndFramesWdcApplicationsMonitor::AtmOnProcessCommandWdcApplicationsMonitor::_SetPropertiesForProcessWdcApplicationsMonitor::UpdateProcessntoskrnl.exeWdcApplicationsMonitor::EnsureRUMHelperbrowser_broker.exeWdcApplicationsMonitor::_UpdateAggregationPackageIdWdcApplicationsMonitor::_UpdateAggregatableProcessWdcApplic

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: GetLocaleInfoW,GetUserDefaultLCID,	27_2_00007FF7010AB4C0
Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe	Code function: GetLocaleInfoEx,GetLastError,	27_2_00007FF7010AB364
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: memset,memset,GetLocaleInfoW,GetLastError,_wtoi,GetProcessHeap,HeapAlloc,GetCurrentThreadId,	33_2_00007FF6787A6EBC
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,memset,GetKeyState,GetKeyState,GetKeyState,	33_2_00007FF67879AF2C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: GetThreadUILanguage,GetLocaleInfoW,	33_2_00007FF67879B2D4
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,	39_2_00007FF753EFBB04
Source: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	Code function: GetLocaleInfoW,	39_2_00007FF753EE5218

Queries the installation date of Windows

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010B0020 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

27_2_00007FF7010B0020

Source: C:\Users\user\AppData\Local\UIPe\rstrui.exe

Code function: 27_2_00007FF7010AD808 memset,memset,GetTimeZoneInformation,GetTimeFormatW,

27_2_00007FF7010AD808

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe

Code function: 33_2_00007FF6787FFF30 GetVersionExW,#618,

33_2_00007FF6787FFF30

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787CFD10 ?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,?SetAccDesc@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetID@Element@DirectUI@@QEAAJPEBG@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,	33_2_00007FF6787CFD10
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787F3C44 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetLayoutPos@Element@DirectUI@@QEAAHXZ,?SetContentString@Element@DirectUI@@QEAAJPEBG@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?GetLayoutPos@Element@DirectUI@@QEAAHXZ,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?SetWidth@Element@DirectUI@@QEAAJH@Z,	33_2_00007FF6787F3C44
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787C719C StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetCurrentThreadId,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QEAAJPEAV12@@Z,GetCurrentThreadId,?Destroy@Element@DirectUI@@QEAAJ_N@Z,	33_2_00007FF6787C719C
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787A9630 PathIsNetworkPathW,SHParseDisplayName,SHBindToParent,StrRetToBufW,ILFree,	33_2_00007FF6787A9630
Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	Code function: 33_2_00007FF6787F46E0 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetParent@Element@DirectUI@@QEAAPEAV12@XZ,?GetParent@Element@DirectUI@@QEAAPEAV12@XZ,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?GetBorderThickness@Element@DirectUI@@QEAAPEBUtagRECT@@PEAPEAVValue@2@@Z,?Release@Value@DirectUI@@QEAAXXZ,	33_2_00007FF6787F46E0

ID:	483800
Product:	CloudBasic
Start time:	13:56:58
Start date:	15.09.2021
Sample:	3FLps29lWm
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0636cf8dafa624e524ad748f38d22240
SHA1:	b347c65c5add7e2fb16fe30cedf46f57fd1eaa56
SHA256:	586999eb0a767ffedcc169d7aead09ebfc1528998def72fc9c5e4bfb245b1abc
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\BMWTD8BZ\contextual.media[1].xml	ASCII text, with very long lines, with no line terminators	66BD378DFBBF5FC467629E316E175663	1582CCDE052B189501ABB18940521E2DB30939C0	B5EF265E02AFF344D90395864AE8E9AA7F5BCF6A80CF048946E89F893EEE4DFF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\I1HSUQNA\www.msn[1].xml	ASCII text, with no line terminators	C91588ECEFC5B5E318C8D8CF27DA0F64	39FCE7B733BE0628FC2F32EE45123C5E8ECCAA90	63E4B8C340E57B0305CE80025010ABCA330474E74AED6EE1CEF87CC6B62FBB84
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3E34CBB0-1668-11EC-90E4-ECF4BB862DED}.dat	Microsoft Word Document	5B7CB363563A91B74ECFC7FE21A355BB	7CB201C61C685B1A2CA3B08D5F667E67D322F999	19956D1E05E4596B0E53A4724B9FB14F825D57D2BD869A353B83FD9EFA6BD1EE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3E34CBB2-1668-11EC-90E4-ECF4BB862DED}.dat	Microsoft Word Document	80DA4137352758A7E4E2F02C41EFED54	8E927E05D51218126A1AB20EBABEF6D3F22C9414	C6E0E006537EB73DFFFF2044B5F06C29F71254207A8174DD20FFE8BBF96DA2FC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DEFAAAF495592511280C1FFBAA5D2699	E250850DDE7BD47598B7E5D2B2EC17059A84B3B7	CF17C7948B2AE77E7FF422E96CFBEE5F86852FE85F45EFCCE84DBFAAD23078B3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	70E3191019D51308C1563D8D510C8D2A	42C8E8FC4FAF8A19DA4AFC354E4DDCFB2CBA61B8	D2C2D763BE0DD9ADDA8D79B00CC03A45FC24D07D3C35DF4320DF8940D99EDEA9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E748FBD1CEAC992B2ABE4C40A5FBA60A	F650AB8BE93086EED1F71B4BEF650D686950FA78	30DDD728FF67A93D1E29D6A850A5D098ABFBDD3678AF4A1306C1DF8A9FA0147E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DF830B168C8105946A50E08E02673B69	1C0B099AFDA816AA3B1B76C705B052EBE445EB4A	8A37080B0A1A9BF3FAB49B539213D20948D24CCDD0F9F844958069EC4D376C30
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C9E385031B2CC71BAB887CF96FC4B2DB	C3983B3259412776121413A020CDF0EB7EF8B3AF	B981284D826AE3290BD0D8E3BB08ADF20E371C5B19450773A3D5ADA08D2E5448
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4A4E1121AD0509B020BDC73E5A77AEF1	3E9F297FAE1FC670F3DFECA7CD7D8BCA4521C9DB	BB2F05D5AB3AB90BB2796190EA22816B1AE24F532856AE91C8B63B16ADC13088
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C7C1214FF676DFE25C7880C05D38AB0D	63EE487B9EB89C56465CF90D8ED1287416333DC5	566ED94A038F17D0119DAFC7DCAEC3B64E4A9A77FFC39B4F8518C1CBA9A461F2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	04F02C66FCE99B2F51BAAF29D08B2BDF	1E3E91AD6D2776090C48C24B9685443EE7798983	3353E3C348C2A42D888264E6C45D9D83BFB8B1C24C1CD6D9F0C48FECCE4397C5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	64771B2537EC2153FAAB9D30E2E5522F	0C37CF593256EF9BB8C364D24C82356C5B0C9AB4	944DC31374764EE2B998C601C461DE827E1C33A643C876BFF5337036832B22B5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat	data	E0961C2817CD74E62E5D0CF795446B9D	FFB5BF8A2CE975E36F8057F27E26334CDB49731C	DEB3B2285784A2FC589046029F568D65ACF2E9A1C2EEBB8D741BA6D0E3719BA8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\4996b9[1].woff	Web Open Font Format, TrueType, length 45633, version 1.0	A92232F513DC07C229DDFA3DE4979FBA	EB6E465AE947709D5215269076F99766B53AE3D1	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAOqRpw[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	0813DF3E9B74E3A0A42DD1BE1D19F349	1FD727B125DB1102AFE25AA0E196F68EDD1576AD	E38BC32CB72E0FCDB9D9B777111344679F3F34F969DE377591371A24A33ADA78
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAOr330[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	D434391972BE55981A4B74BE9F11378B	92850CE6AC0CCD11A0EC47947CAE7DA63963949C	186E4B7737CD9F450D80E4C883C44DBAC26C37DA99E364B359954F7833086097
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAOrotA[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	C08ACB86DA254FA6E1CEC7C411E34DBF	C141670138D7BF6987A4E37F5BA0EBEF817B7DBF	CFB7D84CB17F30BBA1D76F5FA0ADCD5B315DC7B5E57934691126BD6636CAFDD6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\AAOrtsf[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	A4A42035E692330B43A4FA876B5C657D	967ACD0FF1AD19E9CE48E72969B2D8F4094CC854	A4118D303FE4ACCB655C772666C5F88C42E1238B6A1CE533535D9FD06102CA2C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBPfCZL[1].png	GIF image data, version 89a, 50 x 50	59DAB7927838DE6A39856EED1495701B	A80734C857BFF8FF159C1879A041C6EA2329A1FA	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBVuddh[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	636BACD8AA35BA805314755511D4CE04	9BB424A02481910CE3EE30ABDA54304D90D51CA9	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBX2afX[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	4AAAEC9CA6F651BE6C54B005E92EA928	7296EC91AC01A8C127CD5B032A26BBC0B64E1451	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\a5ea21[2].ico	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	84CC977D0EB148166481B01D8418E375	00E2461BCD67D7BA511DB230415000AEFBD30D2D	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\a8a064[1].gif	GIF image data, version 89a, 28 x 28	3CC1C4952C8DC47B76BE62DC076CE3EB	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\auction[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	59FFE3BAC035D18822C84504D7C94F28	977680FE72A8A78523CD0602D566A2BA42B809B7	868B33AA4250ECED05BEB3286DD4D1DABEB053134B74DF096AC9DC907E252FCB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	0EAF55E223E3B7526741A3626124B6DD	9DE9DBB9573D78DE37EB2D07CCF075B6F1005971	34A5D7C5E3F5D08D12928EBDC54A3086215F283183D98184E9A1A0B870251BD4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors	4123CE1E1732F202F60292941FF1487D	9F12B11BDE582DAE37CE8C160537D919C561C464	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_560ad3dcc869b1dfc2bac1c99d35ac81[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	2D3B14E350CB8481DABEC32ECFD0A4B0	5D1A1B48BF5D185CF41AAF1CB5D9733D5F4C3DA5	6875CBE00B48173D9C98554DCDDB4B56389D794EABCC7C1A05C7F2A56BD325D6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_images_824258cd-2488-4e7c-b171-dad87f56f610_1000x600[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	D2C20BF7706C810F628219875D8FD66E	9321BA0FB2923AD5198DBB22B69D37D59A182CCD	1DB8BE2422C05B1D92BD856FB22DB5B3E89A1611662C2BAFADAC85418AEE4E7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\medianet[1].htm	HTML document, ASCII text, with very long lines	4A11D6BB2186A35585656CBC86D485FD	F55ED91E75B527A5CC266249900FEA6E8A2ED3B2	8651FE76AA50E3091D8745C4126C85205414745D2DB94149E3927E5B5C420702
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\nrrV75218[1].js	ASCII text, with very long lines, with no line terminators	266B344BAA9D1D8D076BE1AB041F5FDC	21BCC171508AD8B2E05FB1BB944D820931B7A144	6ABB63D55B62044D5439F604E3E0D5AF77F71E10535BB10949E71F743E692D8D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\otBannerSdk[1].js	ASCII text, with very long lines, with CRLF line terminators	2E5F92E8C8983AA13AA99F443965BB7D	D80209C734F458ABA811737C49E0A1EAF75F9BCA	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\tag[1].js	ASCII text, with very long lines	89A48656B1A403FD1B77C8C5682B2110	5314E9541F542965B237E654A40AF9BED66540EB	C23483E07055D45989FE4A74C6C00E47210C1552D240360D19F2D86CA3128CCE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\17-361657-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	F7E694704782A95060AC87471F0AC7EA	F3925E2B2246A931CB81A96EE94331126DEDB909	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAMqFmF[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	DE563FA7F44557BF8AC02F9768813940	FE7DE6F67BFE9AA29185576095B9153346559B43	B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AANcu7b[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	C3466D21DA49B7AADE86135CAF672867	31B0546925A77686B4CAA3B1B8DDB3094BC80774	353E0A946A167793ACC429264BB2AB11546A2775FF7E454B9A26A145CF63435A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AANf6qa[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	7ED73D785784B44CF3BD897AB475E5CF	47A753F5550D727F2FB5535AD77F5042E5F6D954	EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAOragN[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	7217DEA32550ECA6EB4077F6FC7B22A2	E1006D9A77F02A26E3D7EEC75D42150414094911	0749E2DE1F6A6CA5CB70FA36531E612AEA76381976FD9B280A370AFBD67DAFDC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAOrf3O[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	F31C25CD109029BB9B81573238168754	E5720FBAE52D77E9322DFE546F6D2871241B4661	47DB9857E31B2F2C07624CAADCF571E5511D76203DE517A6B006CABEB8322B56
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAOrhGb[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	431172B05E145BE51D798EF92AE95D6D	6EE53B78DF59C6B20A79BC848019F1E756C7D666	50B388CB54F3CA5FBDBCEE0E69933FEE8C96D9D383E0BFA9B87144F18E9011FF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAOrpxv[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	79F8FDEE9B97ADB6CEE72CCB3D5222B9	5D8A268A6F15D9599550CC33C56920020B2F4245	D29B2E0A369EC8A448A389CFC263069554A7E312F7CFA74F4A438504F14614BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAOrqro[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	82A0AB042F8820EFBCA69F387AB73415	D79491E34BBA5DE65EF3988ED1F4D04FA33B8A87	15925D7C7CDC2DB2AEA17B2769FDA6B8C3B2A8132E104EBD70C7010318D6BA1F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1aXBV1[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	D858BE67BEA11BF5CEC1B2A6C1C1F395	6090B195BEF6AF1157654048EECEA81E2DCEC42A	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cG73h[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	D1495662336B0F1575134D32AF5D670A	EF841C80BB68056D4EF872C3815B33F147CA31A8	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1kvzy[1].png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	C6E13630360E0B6D880AFDF3CD2A2204	63DCA80F76834F5A3FBE79F661678375239F72A4	49767874BCF0F0648266F3018B5CCE3CA539B85778E5395D1212ACB114287D65
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\de-ch[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	408DDD452219F77E388108945DE7D0FE	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http___cdn.taboola.com_libtrc_static_thumbnails_e17134d780918219c201cb1db8da2d3f[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	E4216C30303B0FD3ECBE5C71E9ED5127	70D46FA259EA8E8AC4B3C3EF316BB9768F0CC762	D1895A9D1AC7CEDA7D5CB215475785DB696CC94EDF152E0F2799140020AB9D51
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\nrrV75218[1].js	ASCII text, with very long lines, with no line terminators	266B344BAA9D1D8D076BE1AB041F5FDC	21BCC171508AD8B2E05FB1BB944D820931B7A144	6ABB63D55B62044D5439F604E3E0D5AF77F71E10535BB10949E71F743E692D8D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otFlat[1].json	ASCII text, with very long lines, with CRLF line terminators	A7049025D23AEC458F406F190D31D68C	450BC57E9C44FB45AD7DC826EB523E85B9E05944	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otPcCenter[1].json	ASCII text, with very long lines, with CRLF line terminators	8EC5B25A65A667DB4AC3872793B7ACD2	6B67117F21B0EF4B08FE81EF482B888396BBB805	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\px[1].gif	GIF image data, version 89a, 1 x 1	AD4B0F606E0F8465BC4C4C170B37E1A3	50B30FD5F87C85FE5CBA2635CB83316CA71250D7	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAOplZ0[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	A341DE8211F9AAA3274F87AE237DA039	98CC76C8B07BB05A9072F6C8A856E1B6559933FC	C3BFBBFB362AF8EC74030A5329E23570A6D0AF8D2DD5F0C3623C1B262DEA77ED
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAOrA9A[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	083A5F1CF9896A896C263086C67CEEA2	7BB3D376B099A2ED11223F42597C7A05C6BBCBB1	8EA17856E45657F99D176F1E7661F0CEC64036B6556AAD5D7B9FD82649EB468C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\AAOrsGk[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	C37C2E4E75E73AACBF968F5B19A51917	1151EE53F3AA5E2E6B10FC6955CED3FE098A0F8B	92ED898470CF64AFB475440A264D9136BAE4221BC121E483CF5AE72C1CB19C73
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB14hq0P[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	01269B6BB16F7D4753894C9DC4E35D8C	B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE	D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cEP3G[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	18851868AB0A4685C26E2D4C2491B580	0B61A83E40981F65E8317F5C4A5C5087634B465F	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB7gRE[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	307888C0F03ED874ED5C1D0988888311	D6FB271D70665455A0928A93D2ABD9D9C0F4E309	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB7hg4[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A4F438CAD14E0E2CA9EEC23174BBD16A	41FC65053363E0EEE16DD286C60BEDE6698D96B3	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBY7ARN[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	30801A14BDC1842F543DA129067EA9D8	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\cfdbd9[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	FE5E6684967766FF6A8AC57500502910	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[1].htm	HTML document, ASCII text, with very long lines	15AB6EFED5037151C230824221C3D017	14032EF23019158703CBBE4EBCD42CCAEF841F27	0840E026E01293ABCC101F7C4C431CCA529BABBB8F6D83D897DF2047F2E19C67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[2].htm	HTML document, ASCII text, with very long lines	15AB6EFED5037151C230824221C3D017	14032EF23019158703CBBE4EBCD42CCAEF841F27	0840E026E01293ABCC101F7C4C431CCA529BABBB8F6D83D897DF2047F2E19C67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[3].htm	HTML document, ASCII text, with very long lines	15AB6EFED5037151C230824221C3D017	14032EF23019158703CBBE4EBCD42CCAEF841F27	0840E026E01293ABCC101F7C4C431CCA529BABBB8F6D83D897DF2047F2E19C67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[4].htm	HTML document, ASCII text, with very long lines	15AB6EFED5037151C230824221C3D017	14032EF23019158703CBBE4EBCD42CCAEF841F27	0840E026E01293ABCC101F7C4C431CCA529BABBB8F6D83D897DF2047F2E19C67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\e151e5[1].gif	GIF image data, version 89a, 1 x 1	F8614595FBA50D96389708A4135776E4	D456164972B508172CEE9D1CC06D1EA35CA15C21	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_5ac3b539d1cfda83dbe324033737805f[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	886165EBBB25E2FD2D9AB2C4F3146762	D4B4D36486317A7F57BD12B7574A32BD4EB7CD06	AA7B58D964164238A5A1B7BB72B54025FD48DA2AB9917FE0AEA10818C9CFDAAD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\iab2Data[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	D76FFE379391B1C7EE0773A842843B7E	772ED93B31A368AE8548D22E72DDE24BB6E3855C	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\location[1].js	ASCII text, with no line terminators	C4F67A4EFC37372559CD375AA74454A3	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otSDKStub[1].js	ASCII text, with very long lines, with CRLF line terminators	82566994A83436F3BDD00843109068A7	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otTCF-ie[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\1599143076228-3140[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 622x368, frames 3	2343B47650F79F6C20CEA00191EE349F	AB869D68DF372214A5B5EB8D1B3BE909E6BEADA5	67B8F7F0067BEE8B4F358D0A471691BEA73B9335139E86CFA6000784C065BB09
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\2d-0e97d4-185735b[1].css	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	24D71CC2CC17F9E0F7167D724347DBA4	4188B4EE11CFDC8EA05E7DA7F475F6A464951E27	4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\52-478955-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	FA58CDF103D2BBB8B254AA62DE24EAAE	FB123CA180B3D653CBC2C9292024441A76954038	D0A148461AC2EDEA975A772CCA5B536C06202117BBF55FB3AAE2477575AD5628
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\55a804ab-e5c6-4b97-9319-86263d365d28[1].json	ASCII text, with very long lines, with no line terminators	8FCB3F61085635194CE5A73516DE39F9	4EF7BB8362EE512BD497C48C168085738EE010C3	CEC95B7811CBF927FD338529A08F6B1BBF12F5B78459D07D15DE92C60C12DD64
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\5a9f9a2b-8e64-4961-b3e5-fd11cf345b01[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	FC1D5C2BBD7332A2EBFF6AC249421119	B44419370D698680DFBA2AD2A73680B6C1128689	9ACF5AB02B6E483F1B3C6B0A29E6446A2ED2740A2EA86C711BAD80D9133E8C92
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AA3e6zI[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	272AC060E600BD15C7FA44064B5C150F	27C267507F3A73AAD9E3CA593610633A7E8AF773	578548F464A640FC0D8C483A1FDC9399436C27391B17572484416492A5485009
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAOpzgh[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	00313D1599DB1FB50A343952BFF63434	626800ADAC1C4C401B3AF82D9E64315B15A73C31	B4CFBDDD575224F174E7565F485D0F5635AE717F810E8EF2257721EAA89DDD0A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAOrFGY[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3	6EBB3ACCCFB290E0337E267C575037CE	EFF867D1812AFE049DED89F12E357B8CB786DB5A	4D3737C9ED710A18C627DAE81380E11EF46BB8675EB30550A5F69EC64F400D54
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAOroVg[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	61ADCE4F13DA1F6E8691BDFFA7122985	D5D5E66172A30CA81E594B1FCFF52C634CF2DD76	E708972410675EDB89BEB11790B9B38E3B6CA0B74B8B06C3E7B1AC940F24004A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAOrsX0[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	AC06B29D0E39E772D06EE89B67F010F5	9632CA70966D3A98C3E0D72234D14FF47216B3C9	665852486FF3938A0F874E410C4FE77894C66DC6A39E075E53D1F425404E8DD6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAzjSw3[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	2DF6E53A33E3D7D2E401F9FD0B723221	C2E3B5A6FF363BBD31CC6E39CEEC10B67BBBB9E9	3484DE1DF304502392D694F16B843B7E1FF5C3F2FF88C6BCB30B195F34F8AEF3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB10MkbM[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	19B9391F3CA20AA5671834C668105A22	81C2522FC7C808683191D2469426DFC06100F574	3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB14EN7h[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	DA6531188AED539AF6EAA0F89912AACF	602244816EA22CBE39BBD4DB386519908745D45C	C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBkwUr[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	01B5E74F991A886215461BF0057008C7	6A7347C3559814722D7AA4D491A0D754E157FCC5	DB8A0C0A44AEE824F689A942D99802F95D7950758CB0739C7F179624A592CD51
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http___cdn.taboola.com_libtrc_static_thumbnails_7b4dbad0520957f16bd4e3f810f4c883[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	E150F5DFC8FEBF67ABE61C2494132036	5B6AE976394DC035CC55518F7D469481FDC3EA21	6D49939610DF358E30BF77C9FD4271742E0CCBD5464506298B09FA2999C7BBA6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_b4d84d7a-e7a0-4e71-a4e1-288b18f4b1a1_166a74d60a77edc1b295914db4bc79ac[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	AA0DC1037EF3AB4C187E7ACC5A5AD5CD	A4EE232A7C4033DA282B5E60CD7C864B3757FFC4	290E922508503D37208A8566351E1BAC5A50073D21953F986D62D1AE3D6B49E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\jquery-2.1.1.min[1].js	ASCII text, with very long lines, with CRLF line terminators	9A094379D98C6458D480AD5A51C4AA27	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\medianet[1].htm	HTML document, ASCII text, with very long lines	C3DB41FE6B716BA10C39E5A58C1BA45D	47620AB535092B7AF20C5C262B5646BF758CA708	79A48D772EB1B9C31FF61A58E7E743B816907FD1765F062F89A6876E698F256E
C:\Users\user\AppData\Local\Temp\~DF3E5B0442C91F7FC3.TMP	data	AA7EF85CAA7A4BF74D053932FF8698A1	A766D0E95EF15E6FD0D59F243D1E88235BD7ACC5	0FB4BC0AE7C6C4B6F6DA899A801EFD6F2EC05277B2FBE0BB2AAC03CAA59A90F1
C:\Users\user\AppData\Local\Temp\~DF98125A3D199168E4.TMP	data	DF53265079679F6331F5D9D320468826	A03DE5E6431524DC4AF6CB79DB0B83D7C4198D0D	B8D7511AFD2390403CB201C078E7DEC29EC5139CFE5A77DBC5834F0F8DCE507B
C:\Users\user\AppData\Local\UIPe\SRCORE.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D02262E4A4A5FAFEF209AD56B9D488A2	61F9F54712E7E2EE5D26694D044B758A5F747FD3	F33539EB86858E520DB8F213B9C441807C5E40124DD98693C390D7BE3C301E48
C:\Users\user\AppData\Local\UIPe\rstrui.exe	PE32+ executable (GUI) x86-64, for MS Windows	3E8AFFA54035412F86663C8B44CAA2E5	FEC456E10294F45D6F8F472A6228D3D90CA6A29C	277341B416424AEA462F74FF03DD1A46DECA687A6751AE9A2D5D5902C03BDE6B
C:\Users\user\AppData\Local\c5BVxaoEy\TAPI32.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	886C18D72DDB2F22F28E90ADB6A92261	FB91007F7DB772465A99D86B5B4D16E6B3E5E17C	1362CCD84006A7BE9F545F511E5AEDB7799DAEA8310DF9EA2B4385EF38CA6F28
C:\Users\user\AppData\Local\c5BVxaoEy\dialer.exe	PE32+ executable (GUI) x86-64, for MS Windows	0EC74656A7F7667DD94C76081B111827	416DA743A7A52CD4204DF396BD11D9DBAE98076A	973389F8F3124B9EF0097909298F53AEFBCE38733FB07D204663B4DD17BEAC4C
C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe	PE32+ executable (GUI) x86-64, for MS Windows	BEAB16FEFCB7F62BBC135FB87DF7FDF2	EAF18190494496329573CAA3F95CACA6EF0FB6F6	E3C66F68737611DFD051F1D6EEB371FDE89B129925A85695B9F90CDE3E04BD96
C:\Users\user\AppData\Local\lFQXVd7\MFC42u.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	3AC1AE9C23111206137C244F138C43D8	E4BA74996F975E33E6D3724AA5D1CBC4A1CE960B	178787F0AE3AFDB19A8CE3ABD6D613DCEEE010CC20A11B68368A49F89C84B2BD
C:\Users\user\AppData\Local\yeShxe\WINMM.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	A177E1222CEC2B9624C8ABEAA8CB5D96	2C0F9640B911A80093F33605DB7A271600BFA566	9CC37C2F755864EA368C0030B2D75D2453220F102449B881C218EA3579733398
C:\Users\user\AppData\Local\yeShxe\mstsc.exe	PE32+ executable (GUI) x86-64, for MS Windows	3FBB5CD8829E9533D0FF5819DB0444C0	A4A6E4E50421E57EA4745BA44568B107A9369447	043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
C:\Users\user\AppData\Local\zOAoLK\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	C2235DE4F2398B177D7D9F60942D1925	3A80FADD5E446EA6EF1E3ED69CC3E4FAF6CAB271	20C654E9F7785C119448CD4922E1515ADF028E0BBCBBF0939B6A849AD3338543
C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe	PE32+ executable (GUI) x86-64, for MS Windows	CB8FE4DA1AF43E62BAA6A4CBE0A93A74	A6356AA06F7F276E41A7CE715CF72B1A9AB099E9	CC02E27203370158394916CDB66DB92137A4E98A01E8AF05945C5C4443719112
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	4B8C1389EB48AF9862F2738BB9637FF1	11DBABE58993C2AB3E610D8DD54246EC535475B6	571394D47CF04875683F59BAEF48D2CDC8BB08DA344EACAE9DEA008F002B5931

Windows Analysis Report 3FLps29lWm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs