Windows Analysis Report Bccw1xUJah

Overview

General Information

Sample Name:	Bccw1xUJah (renamed file extension from none to dll)
Analysis ID:	533066
MD5:	fbe56ca46b61fa3008caa98e6f4a917a
SHA1:	ec752c16c271384004ad3dc4a25d6fbf52b2bcb8
SHA256:	a46566a9cae02c1b04da80f4ff402727eb41ed0d8c0ab8f837a10d68cfa4f61b
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Changes security center settings (notifications, updates, antivirus, firewall)

Sigma detected: Suspicious Svchost Process

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Bccw1xUJah.dll

Virustotal: Detection: 10%

Perma Link

Compliance:

Uses 32bit PE files

Source: Bccw1xUJah.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.5:49881 version: TLS 1.2

Source: Bccw1xUJah.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336893374.000000000303F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336824489.0000000003044000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdbad source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: aXjjr[jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.357838123.00000000006D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdb source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /fcNtqWRYEAvIh HTTP/1.1Cookie: wFFCSxt=KroKbMrLxdquGLAVpD8mzOTL6+CJEBylxML8+8LJKbm2NFSJfWyg+Ob4gDvMFIJSB8JkauSCmzenkWfybqLjINgruWQ9hyEz6LBdkvbPAZKalyvPo/EjstrhYIOzCYE0U9F6ESIQNH6mPBh1c7AWHgfaTWG0bJf0yIMhiqP3oKSNSNHW+RMKCwRHRmh4DzBf2Vp20YcxrDb6uOijN0eQ3rjnJQu9vDXRscGluLYAx9sKze0sCBY=Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.566510464.000001E8CC997000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.566510464.000001E8CC997000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV" > equals www.linkedin.com (Linkedin)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xceabfacf,0x01d7e821</date><accdate>0xcee9f868,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xd34ab932,0x01d7e821</date><accdate>0xd3db91dd,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xd6097753,0x01d7e821</date><accdate>0xd7671fa9,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: svchost.exe, 00000008.00000002.610199490.000002244F061000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.780038722.0000000003001000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.394092684.0000000003001000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.610070711.000002244F010000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[2].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.m
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/E
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Amcache.hve.26.dr	String found in binary or memory: http://upx.sf.net
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[2].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=273363&a=3064090&g=24940322
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313816759.000002650A66B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310455934.000002650A669000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.311802229.000002650A647000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313308712.000002650A64E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[2].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1638488543&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1638488544&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1638488543&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AARlHk9.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.311983863.000002650A657000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313212745.000002650A639000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-2025-gibt-es-einarmige-banditen-und-roulette-in-der-lokstadt
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/altkleider-nur-noch-in-stadtz%c3%bcrcher-sammelstellen/ar-AARos
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-best%c3%a4tigt-ersten-omikron-fall-in-z%c3%bcrich/ar-AAR
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-verteidigt-finanzielle-beteiligung-am-kunstprojekt/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000027.00000003.562687164.000001E8CCE02000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562492489.000001E8CC9AE000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562433438.000001E8CC9AE000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562624515.000001E8CC997000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&utm_
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/kochendes-wasser-auto/?utm_campaign=DECH-cardent&utm_sou
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.038705726061928736 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fcNtqWRYEAvIh HTTP/1.1Cookie: wFFCSxt=KroKbMrLxdquGLAVpD8mzOTL6+CJEBylxML8+8LJKbm2NFSJfWyg+Ob4gDvMFIJSB8JkauSCmzenkWfybqLjINgruWQ9hyEz6LBdkvbPAZKalyvPo/EjstrhYIOzCYE0U9F6ESIQNH6mPBh1c7AWHgfaTWG0bJf0yIMhiqP3oKSNSNHW+RMKCwRHRmh4DzBf2Vp20YcxrDb6uOijN0eQ3rjnJQu9vDXRscGluLYAx9sKze0sCBY=Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.5:49881 version: TLS 1.2

System Summary:

Uses 32bit PE files

Source: Bccw1xUJah.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Frzzoul\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CFAA	0_2_1001CFAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002800	0_2_10002800
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BC07	0_2_1000BC07
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001000D	0_2_1001000D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020C0C	0_2_10020C0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004A13	0_2_10004A13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016015	0_2_10016015
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FE15	0_2_1000FE15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F217	0_2_1000F217
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002617	0_2_10002617
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BE1F	0_2_1001BE1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000DC24	0_2_1000DC24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010C2F	0_2_10010C2F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021033	0_2_10021033
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007E3E	0_2_10007E3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008650	0_2_10008650
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005651	0_2_10005651
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001EC5A	0_2_1001EC5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017679	0_2_10017679
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C79	0_2_10002C79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B278	0_2_1001B278
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C87E	0_2_1000C87E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C47E	0_2_1001C47E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013682	0_2_10013682
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A288	0_2_1001A288
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C29B	0_2_1000C29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001F0A7	0_2_1001F0A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10022EA4	0_2_10022EA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A4AA	0_2_1000A4AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D8AD	0_2_1001D8AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100202B3	0_2_100202B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019EB5	0_2_10019EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016ACA	0_2_10016ACA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100044D2	0_2_100044D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010ED9	0_2_10010ED9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100108D9	0_2_100108D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B6DB	0_2_1001B6DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CADE	0_2_1000CADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001EE2	0_2_10001EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001E2E4	0_2_1001E2E4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100060E8	0_2_100060E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D4EE	0_2_1000D4EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D8F0	0_2_1000D8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A6F7	0_2_1000A6F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100088FC	0_2_100088FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011EFC	0_2_10011EFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020701	0_2_10020701
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001F90C	0_2_1001F90C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001EB0F	0_2_1001EB0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A712	0_2_1001A712
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002317	0_2_10002317
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001FB22	0_2_1001FB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014F2A	0_2_10014F2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007931	0_2_10007931
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013B36	0_2_10013B36
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001713E	0_2_1001713E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CD42	0_2_1000CD42
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007549	0_2_10007549
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001514C	0_2_1001514C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C551	0_2_1000C551
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C962	0_2_1001C962
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BD63	0_2_1000BD63
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000416C	0_2_1000416C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002196C	0_2_1002196C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E16F	0_2_1000E16F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001B70	0_2_10001B70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008B74	0_2_10008B74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012378	0_2_10012378
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001177E	0_2_1001177E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020588	0_2_10020588
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001058C	0_2_1001058C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021FA6	0_2_10021FA6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100093A7	0_2_100093A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009DA8	0_2_10009DA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A1AA	0_2_1000A1AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100231BA	0_2_100231BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100065BD	0_2_100065BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100227CB	0_2_100227CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100165CD	0_2_100165CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008FCE	0_2_10008FCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000B9D5	0_2_1000B9D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ADD9	0_2_1000ADD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100057E6	0_2_100057E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100179EC	0_2_100179EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013FF3	0_2_10013FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FBF7	0_2_1000FBF7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017FFB	0_2_10017FFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D1FD	0_2_1000D1FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE53ED7	2_2_6EE53ED7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE2EE70	2_2_6EE2EE70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE53FF7	2_2_6EE53FF7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE42F91	2_2_6EE42F91
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3CDCD	2_2_6EE3CDCD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32D30	2_2_6EE32D30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDD9AD0	2_2_6EDD9AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3CB9B	2_2_6EE3CB9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32800	2_2_6EE32800
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3C969	2_2_6EE3C969
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32580	2_2_6EE32580
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE4F599	2_2_6EE4F599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE42040	2_2_6EE42040
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3D02A	2_2_6EE3D02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE53ED7	3_2_6EE53ED7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE2EE70	3_2_6EE2EE70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE53FF7	3_2_6EE53FF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE42F91	3_2_6EE42F91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3CDCD	3_2_6EE3CDCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32D30	3_2_6EE32D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EDD9AD0	3_2_6EDD9AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3CB9B	3_2_6EE3CB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32800	3_2_6EE32800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3C969	3_2_6EE3C969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32580	3_2_6EE32580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE4F599	3_2_6EE4F599
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE42040	3_2_6EE42040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3D02A	3_2_6EE3D02A

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EE3EEBE appears 60 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EDCFEF0 appears 322 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EE374F0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE3EEBE appears 63 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDCFEF0 appears 322 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE374F0 appears 36 times

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: Bccw1xUJah.dll

Virustotal: Detection: 10%

Source: Bccw1xUJah.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDD38171-5414-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1A577BCFE6731D96.TMP

Jump to behavior

Source: classification engine

Classification label: mal68.evad.winDLL@49/135@12/7

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4252
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6436:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6760:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: Bccw1xUJah.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Bccw1xUJah.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336893374.000000000303F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336824489.0000000003044000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdbad source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: aXjjr[jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.357838123.00000000006D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdb source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000176C push ebp; iretd	0_2_1000176D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE36FA1 push ecx; ret	2_2_6EE36F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE36FA1 push ecx; ret	3_2_6EE36F9F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EDCDA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

2_2_6EDCDA40

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Rjhfn\nedaia.mzt:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6316	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3060	Thread sleep time: -180000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.26.dr	Binary or memory string: VMware
Source: Amcache.hve.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000008.00000002.610199490.000002244F061000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.26.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000008.00000002.610166029.000002244F04B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609607784.0000022449A29000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584018650.000001E8CC071000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584171087.000001E8CC0D4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 0000000A.00000002.776806397.0000025575468000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.775698066.000001871A629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6EE3AABA

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EDCDA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

2_2_6EDCDA40

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011E59 mov eax, dword ptr fs:[00000030h]	0_2_10011E59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3A991 mov eax, dword ptr fs:[00000030h]	2_2_6EE3A991
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE440D3 mov eax, dword ptr fs:[00000030h]	2_2_6EE440D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE4408F mov eax, dword ptr fs:[00000030h]	2_2_6EE4408F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE44104 mov eax, dword ptr fs:[00000030h]	2_2_6EE44104
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3A991 mov eax, dword ptr fs:[00000030h]	3_2_6EE3A991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE440D3 mov eax, dword ptr fs:[00000030h]	3_2_6EE440D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE4408F mov eax, dword ptr fs:[00000030h]	3_2_6EE4408F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE44104 mov eax, dword ptr fs:[00000030h]	3_2_6EE44104

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10010E34 LdrInitializeThunk,

0_2_10010E34

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE3AABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EE3624F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE37375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE37375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6EE3AABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6EE3624F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE37375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6EE37375

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272

Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6EE51EAD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_6EE44DE4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE4480E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6EE5280E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6EE52639
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE52235
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE5219A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE5214F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6EE51EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6EE44DE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE4480E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6EE5280E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6EE52639
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE52235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE5219A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE5214F

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE370CB cpuid

2_2_6EE370CB

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE3729C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6EE3729C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.26.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.26.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.775805030.000002C56A83D000.00000004.00000001.sdmp	Binary or memory string: "@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.776042037.000002C56A902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.3.70	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
172.104.227.98	unknown	United States	63949	LINODE-APLinodeLLCUS	true
142.250.203.102	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
104.26.7.139	btloader.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
contextual.media.net	23.211.6.95	true
dart.l.doubleclick.net	142.250.203.102	true
tls13.taboola.map.fastly.net	151.101.1.44	true
hblg.media.net	23.211.6.95	true
lg3.media.net	23.211.6.95	true
btloader.com	104.26.7.139	true
ad-delivery.net	104.26.3.70	true
assets.msn.com	unknown	unknown
www.msn.com	unknown	unknown
ad.doubleclick.net	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
cvision.media.net	unknown	unknown
browser.events.data.msn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg	false	Avira URL Cloud: safe	unknown
https://172.104.227.98/fcNtqWRYEAvIh	true	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg	false	Avira URL Cloud: safe	unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high
https://ad-delivery.net/px.gif?ch=1&e=0.038705726061928736	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg	false	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: Bccw1xUJah.dll

Virustotal: Detection: 10%

Perma Link

Compliance:

Uses 32bit PE files

Source: Bccw1xUJah.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.5:49881 version: TLS 1.2

Source: Bccw1xUJah.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336893374.000000000303F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336824489.0000000003044000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdbad source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: aXjjr[jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.357838123.00000000006D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdb source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

HTTP GET or POST without a user agent

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.566510464.000001E8CC997000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.566510464.000001E8CC997000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV" > equals www.linkedin.com (Linkedin)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xceabfacf,0x01d7e821</date><accdate>0xcee9f868,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xd34ab932,0x01d7e821</date><accdate>0xd3db91dd,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xd6097753,0x01d7e821</date><accdate>0xd7671fa9,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: svchost.exe, 00000008.00000002.610199490.000002244F061000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.780038722.0000000003001000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.394092684.0000000003001000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.610070711.000002244F010000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[2].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.m
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/E
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Amcache.hve.26.dr	String found in binary or memory: http://upx.sf.net
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[2].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=273363&a=3064090&g=24940322
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313816759.000002650A66B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310455934.000002650A669000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.311802229.000002650A647000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313308712.000002650A64E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[2].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1638488543&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1638488544&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1638488543&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AARlHk9.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.311983863.000002650A657000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313212745.000002650A639000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-2025-gibt-es-einarmige-banditen-und-roulette-in-der-lokstadt
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/altkleider-nur-noch-in-stadtz%c3%bcrcher-sammelstellen/ar-AARos
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-best%c3%a4tigt-ersten-omikron-fall-in-z%c3%bcrich/ar-AAR
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-verteidigt-finanzielle-beteiligung-am-kunstprojekt/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000027.00000003.562687164.000001E8CCE02000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562492489.000001E8CC9AE000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562433438.000001E8CC9AE000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562624515.000001E8CC997000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&utm_
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/kochendes-wasser-auto/?utm_campaign=DECH-cardent&utm_sou
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.038705726061928736 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fcNtqWRYEAvIh HTTP/1.1Cookie: wFFCSxt=KroKbMrLxdquGLAVpD8mzOTL6+CJEBylxML8+8LJKbm2NFSJfWyg+Ob4gDvMFIJSB8JkauSCmzenkWfybqLjINgruWQ9hyEz6LBdkvbPAZKalyvPo/EjstrhYIOzCYE0U9F6ESIQNH6mPBh1c7AWHgfaTWG0bJf0yIMhiqP3oKSNSNHW+RMKCwRHRmh4DzBf2Vp20YcxrDb6uOijN0eQ3rjnJQu9vDXRscGluLYAx9sKze0sCBY=Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.5:49881 version: TLS 1.2

System Summary:

Uses 32bit PE files

Source: Bccw1xUJah.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Frzzoul\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CFAA	0_2_1001CFAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002800	0_2_10002800
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BC07	0_2_1000BC07
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001000D	0_2_1001000D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020C0C	0_2_10020C0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004A13	0_2_10004A13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016015	0_2_10016015
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FE15	0_2_1000FE15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F217	0_2_1000F217
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002617	0_2_10002617
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BE1F	0_2_1001BE1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000DC24	0_2_1000DC24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010C2F	0_2_10010C2F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021033	0_2_10021033
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007E3E	0_2_10007E3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008650	0_2_10008650
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005651	0_2_10005651
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001EC5A	0_2_1001EC5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017679	0_2_10017679
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C79	0_2_10002C79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B278	0_2_1001B278
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C87E	0_2_1000C87E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C47E	0_2_1001C47E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013682	0_2_10013682
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A288	0_2_1001A288
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C29B	0_2_1000C29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001F0A7	0_2_1001F0A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10022EA4	0_2_10022EA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A4AA	0_2_1000A4AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D8AD	0_2_1001D8AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100202B3	0_2_100202B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019EB5	0_2_10019EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016ACA	0_2_10016ACA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100044D2	0_2_100044D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010ED9	0_2_10010ED9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100108D9	0_2_100108D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B6DB	0_2_1001B6DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CADE	0_2_1000CADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001EE2	0_2_10001EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001E2E4	0_2_1001E2E4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100060E8	0_2_100060E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D4EE	0_2_1000D4EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D8F0	0_2_1000D8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A6F7	0_2_1000A6F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100088FC	0_2_100088FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011EFC	0_2_10011EFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020701	0_2_10020701
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001F90C	0_2_1001F90C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001EB0F	0_2_1001EB0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A712	0_2_1001A712
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002317	0_2_10002317
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001FB22	0_2_1001FB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014F2A	0_2_10014F2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007931	0_2_10007931
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013B36	0_2_10013B36
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001713E	0_2_1001713E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CD42	0_2_1000CD42
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007549	0_2_10007549
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001514C	0_2_1001514C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C551	0_2_1000C551
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C962	0_2_1001C962
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BD63	0_2_1000BD63
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000416C	0_2_1000416C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002196C	0_2_1002196C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E16F	0_2_1000E16F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001B70	0_2_10001B70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008B74	0_2_10008B74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012378	0_2_10012378
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001177E	0_2_1001177E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020588	0_2_10020588
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001058C	0_2_1001058C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021FA6	0_2_10021FA6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100093A7	0_2_100093A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009DA8	0_2_10009DA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A1AA	0_2_1000A1AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100231BA	0_2_100231BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100065BD	0_2_100065BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100227CB	0_2_100227CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100165CD	0_2_100165CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008FCE	0_2_10008FCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000B9D5	0_2_1000B9D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ADD9	0_2_1000ADD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100057E6	0_2_100057E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100179EC	0_2_100179EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013FF3	0_2_10013FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FBF7	0_2_1000FBF7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017FFB	0_2_10017FFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D1FD	0_2_1000D1FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE53ED7	2_2_6EE53ED7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE2EE70	2_2_6EE2EE70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE53FF7	2_2_6EE53FF7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE42F91	2_2_6EE42F91
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3CDCD	2_2_6EE3CDCD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32D30	2_2_6EE32D30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDD9AD0	2_2_6EDD9AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3CB9B	2_2_6EE3CB9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32800	2_2_6EE32800
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3C969	2_2_6EE3C969
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32580	2_2_6EE32580
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE4F599	2_2_6EE4F599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE42040	2_2_6EE42040
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3D02A	2_2_6EE3D02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE53ED7	3_2_6EE53ED7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE2EE70	3_2_6EE2EE70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE53FF7	3_2_6EE53FF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE42F91	3_2_6EE42F91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3CDCD	3_2_6EE3CDCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32D30	3_2_6EE32D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EDD9AD0	3_2_6EDD9AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3CB9B	3_2_6EE3CB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32800	3_2_6EE32800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3C969	3_2_6EE3C969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32580	3_2_6EE32580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE4F599	3_2_6EE4F599
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE42040	3_2_6EE42040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3D02A	3_2_6EE3D02A

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EE3EEBE appears 60 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EDCFEF0 appears 322 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EE374F0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE3EEBE appears 63 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDCFEF0 appears 322 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE374F0 appears 36 times

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: Bccw1xUJah.dll

Virustotal: Detection: 10%

Source: Bccw1xUJah.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDD38171-5414-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1A577BCFE6731D96.TMP

Jump to behavior

Source: classification engine

Classification label: mal68.evad.winDLL@49/135@12/7

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4252
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6436:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6760:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: Bccw1xUJah.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Bccw1xUJah.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336893374.000000000303F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336824489.0000000003044000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdbad source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: aXjjr[jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.357838123.00000000006D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdb source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000176C push ebp; iretd	0_2_1000176D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE36FA1 push ecx; ret	2_2_6EE36F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE36FA1 push ecx; ret	3_2_6EE36F9F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EDCDA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

2_2_6EDCDA40

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Rjhfn\nedaia.mzt:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6316	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3060	Thread sleep time: -180000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.26.dr	Binary or memory string: VMware
Source: Amcache.hve.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000008.00000002.610199490.000002244F061000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.26.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000008.00000002.610166029.000002244F04B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609607784.0000022449A29000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584018650.000001E8CC071000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584171087.000001E8CC0D4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 0000000A.00000002.776806397.0000025575468000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.775698066.000001871A629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6EE3AABA

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EDCDA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

2_2_6EDCDA40

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011E59 mov eax, dword ptr fs:[00000030h]	0_2_10011E59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3A991 mov eax, dword ptr fs:[00000030h]	2_2_6EE3A991
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE440D3 mov eax, dword ptr fs:[00000030h]	2_2_6EE440D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE4408F mov eax, dword ptr fs:[00000030h]	2_2_6EE4408F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE44104 mov eax, dword ptr fs:[00000030h]	2_2_6EE44104
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3A991 mov eax, dword ptr fs:[00000030h]	3_2_6EE3A991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE440D3 mov eax, dword ptr fs:[00000030h]	3_2_6EE440D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE4408F mov eax, dword ptr fs:[00000030h]	3_2_6EE4408F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE44104 mov eax, dword ptr fs:[00000030h]	3_2_6EE44104

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10010E34 LdrInitializeThunk,

0_2_10010E34

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE3AABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EE3624F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE37375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE37375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6EE3AABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6EE3624F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE37375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6EE37375

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272

Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6EE51EAD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_6EE44DE4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE4480E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6EE5280E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6EE52639
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE52235
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE5219A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE5214F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6EE51EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6EE44DE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE4480E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6EE5280E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6EE52639
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE52235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE5219A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE5214F

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE370CB cpuid

2_2_6EE370CB

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE3729C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6EE3729C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.26.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.26.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.775805030.000002C56A83D000.00000004.00000001.sdmp	Binary or memory string: "@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.776042037.000002C56A902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

ID:	533066
Product:	CloudBasic
Start time:	00:41:17
Start date:	03.12.2021
Sample:	Bccw1xUJah
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	fbe56ca46b61fa3008caa98e6f4a917a
SHA1:	ec752c16c271384004ad3dc4a25d6fbf52b2bcb8
SHA256:	a46566a9cae02c1b04da80f4ff402727eb41ed0d8c0ab8f837a10d68cfa4f61b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	368425E204C78A22F074C451D05FA44B	CF06DFDD501913EC12BCB708F80075189F4C09A6	79698B4C36F784D96D10B6CFB6338F94FA3ADA462C1EC7AADA1BB089D2D2AA23
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xfff46d35, page size 16384, Windows version 10.0	D55C2B5293610177685048F5C8A6CED8	5758E6F3B67B05301C75EC70E3D13AEB9C4DC014	09EAE310CB8C0AA4091FAEEB1A186D1C92B492CF63CE9B0AF92AD210B7A0F9AD
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	AA16117B3C1EB78AECA757D25EFCD2FB	68FB699213DC09DE6BA9372610BD9C25A57DDED1	FD543570112206EC902E28DA64EA15E1BBBD7642B31FE91EE3A68DEC5702E82A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_1589011f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	931A2BA15449F4257942DB1D9B44CE26	D02F1D7C6E74D650887AEA1096E9B770F2296DAE	C53CDD7346906EA013101279ACC6E6DA6E11F19160C7BB4F820B97381D443B06
C:\ProgramData\Microsoft\Windows\WER\Temp\WER180D.tmp.csv	data	D9C7CCBE5042F2733B5C5F252804881C	76B473834A3CC78A48F698E1A65347E698352405	04296930B309AE53F98DEAD531DEC7E8BEC871E6358C0A8DCE000062C03CA917
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F13.tmp.txt	data	96C053D8B81B4600919D01B6CD073CAA	6724BC587EE16E66AD56542192CA20EC9AADE508	8E5C415F2EA6F7149F427E0374D7CFE02A3D834B9DE24493F904A22B02EB77BC
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1EF.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Dec 3 08:43:03 2021, 0x1205a4 type	B5B2028D64C3E4CD3D85A54AE36E772E	A69484C606AFB230A27615115E9DCD11E3419685	90B05C149F6B052BDFE5AAB731018F4A8C5CF200D2BB51B2E19F8C7B73692272
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6D2.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	DEB2A26B3EC45AC029731CA2E43FF096	EB4D5D024BDEF9880F941DEA3D487DF3270EF06A	52850AF2FFF9A3C85B44CAAD222A603EA76EE1F210BE915825A4082CE1FC0ECD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED7A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	21528E9C0320ABFE56D7486E5912639D	09253E0F095606678076079D8E98A19839F6F9D3	775A5E43C74365032FE63969B9AE73E17905E0764636369F66D5CA75C0C8AFE2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml	ASCII text, with no line terminators	1E9BCCF0E156B564317D508AF66F7DC7	5513D0DA7C150A3D841D21F8264E3C61A3B7C126	C87190A70F853287D4CEF89D8FAA550054A38C47EB16E306DCBD921067295003
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml	ASCII text, with no line terminators	6BFD10B37F61450343C21C68E6B61EC7	293A1ACB6CC01E495645D5591D17F26D6C385142	E37367CBEDE55B3DEC3483C58CCC641762C2715C5533DCF14F39A9FDE2DAB87F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDD38171-5414-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	3CD28A822E4F3133E44187FC762D3CC8	34C65E8039C981E90F5813993125DEED873E19FB	818A57C2E0041BCFC739E777E420FB3062542F67B51B6B8B521F8C9DD22DE0D6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{04DC069A-5415-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	CF1542ED0B94952F6FCF2093BBFCA7A4	341C607B4F8B745A1B8F914563A9C379DD75A9B4	BF6395EFD4F5CE10C9DB8F60963B4B2F0779F9D2B4635FEFD39F459A5EF536BE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	121CCD4CC8FFED07908CC403099A2957	E269DBEB1A75352B8AFBC950F73867FCED6FCCC6	91C400A6EE72AC9A33F877FF9651D7FD4C5C21F2EB957994B795F4A5AF1B62E5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3AE1C856231E41F469DF3DB157003485	A1B049F4ED3430890EEC26F1D2347B8414554144	D197FFB50B065F9B63F007A55A519B233FD090BAC85683AF9C911F5B8F4B9A9E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DF5AF26EEFE7686F3ADB05016105EBAA	FDB8DA27177D70CA876FA3C3F3E93160B5071164	F577123C51092506C5BF966D479FB2C9F4AE44F16BAC8FADAB9CD7075A857EDD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	6196164AC08A4E5859DB38FBEBBC0357	5A731E4993E2546FF6C0714B32082050A32ED382	17D32AB3D216CD88A8BC05B7344760CECEF5F1D017F317DA3169A91C51468048
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D5A3ACACD6253AD6F2427A85FDD680E0	36CD9D3549CE0EFCC3A9A7BC50FC4F579D121812	6A076B6ED4BCB161B1D730688116F8E1B0EBA7F8DF415F81856F0993FD833F1E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D4F2F79D65D7DB79D576A2EED3AE12F0	A7712AADA108CAF60418841C7F40B8650F97810E	A0F0EA02928F1EF5F791D3564F9E91D1261950CB06FDD93303A2AF9C86A7BB85
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DA8D474AA9EA0AB9CE1888A7B0C4CF03	BEF6BEA8DAEFE5ECA6F68333BB08CECB9B854BFD	E571148777615CDD677538ED11955EBE9DA330F34EB89FE60AA4C8A3F58D400A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C31091D1FF66230B462E64B887FB786E	1AE44E02AF18E066F359A15554E822DDAC6E057E	690886BA655FFBF10C6BC95C075AA5DE927C7844A4AD0F15DE53003439CBC1AF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	367E3CB557D2DCC8FE458F4757DF8BCA	7B0BC478CD063CE12F0F3B0DB18AE1537B637618	940F55CE80B2BFEEE287392042E24801882B47402741B68246C145D6942757B5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7B44D76EFE4E5FEA2A5AC5C407F892FF	C65D2194E02E3D67BD9F0BC312CBD4EC79F0341C	04705A1C53F0C4669407DEA90D360BC87C7A108EDAE17366EC1D64F43EFEDCF3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat	data	6F455F69E249AB08EBDED130501A1CF5	A62F07AFF6AB8972F1ADBF67251720D7EE102D6D	7E1F2D03177859590CFCBF6BAD8BC0518D9B2A2635C82B32D8F3CFB8960ECFEB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\46a64e19-d1cf-494e-8a93-1a179ccdaae9[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	D3B606F44F4035D110753D9C12B38051	4BECDD0487DAD8FD021A355E25BB93E6A1486817	CA0634520BFBB563FB5AFF0B3BDD5F42B12961D6F2453E0C1F01F49DE17D48E7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AA6wTdK[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	6468CE276C808DA186AEF8AA10AB8DCC	F11A97DE272DAE4A61EC9990DEA171EFCF39B742	CF782CC89F554E9ACF21D36909F6AC19DDE218BF0250179B48CDAB67728912B8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAKp8YX[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	CD651A0EDF20BE87F85DB1216A6D96E5	A8C281820E066796DA45E78CE43C5DD17802869C	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQCgDb[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	7EB2C6AFF772712CB5C5430050503581	E80334CA32FF05AD16B7D8E322200F8DF9BBE86D	C7FC141B8CB74F3BE9EDFC961162EF4A52EDDD0EC8068DAD4B197E9E000C6858
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARfw7b[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	4B4588EDDD7A2E6517B7D0018DD82EE3	6487DFE0E42A95116835CED249175E6F3D5E95B4	366D03FA212EEE18E60835E02F07EB3D5C054BDE122E558C6F51F2133B36DB04
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARl0hy[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	A16117A702AA2CC7125970EA7171DB1E	9557FB5F76D277E72F18B2238E83B8DB03B13C80	B21617317A24495B6DE7B6F7F63D76F6D04F57338A2F92A231B93FC194425CF4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARlHk9[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	8CFB07A50C5898ED84ECE2BEADAB2D66	FF0FD5B388DF586E4A376883F4A680D773C70B68	C09DB064F815073A445A459FE4C5DC4AB14A9CF2F97B15AAC86D008E5FCFF490
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARlo9i[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	19C0AE16B773955A968DBC2E02F78DD9	68B07436E87A31B07DD7F20B897AE14664F15733	A9651BD954612BE62AD6732BA260774FC7585C5D28F3571BB67C352C6B641BF4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARlt06[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	E36D48C9B814F0634087018C06CC9B22	B55C96D89E02F7CBEE7CC2731ABE30C73DE25B11	B5AFC3D4C19BD12F278AF96F3CCC83F31F7B78A4679FED541368C67D3477156F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARm2qY[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	D7317C8C02C38C9B02F6C25BE0BC65E5	151C1DAF06E6BACAE8B5EAC8E2E08409430F34A4	A233EB7B3EC2C7DE2E508F0F338E2D2570489236FC97FBD7DD6D42B32A0BEE43
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARm6r5[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3	AF8B89FA03344C236767C0FED93A3635	8CEAF3DA8CB0994F5F54BEC5A09C6408C459ED82	06EFB97DCE1ADE37742C16ED656371F172BC549D752B1EE301411E08E508ED0A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARmagQ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	E8202CFAE2B12C62D5ECB40E2740E900	6B48D115B1C44021546F85E4199C0CDA594A5765	1DFF560E572A3C04531DA0812BC153F9114C32C16FA4016ED6AF2D54C79C6C13
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARmqzU[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	48FF0856C4879F586A2A8EAE3D611BF7	4C3048405D65634930622E23A07DB302D25CAEB1	4329EADAE80A32A888FEB28D169924B25E65FAAABCEB4811A26D557448C2473E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARmt9G[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3	076B1B6F3B46740679FA703FE7EDF5E6	A961FF54B4D6A170FA42366CA3F79DCC9DB55763	7EC4C91055D6BF21250D3754A2E7ACC1BCCF7B61215D218F10078E2DC4F22A67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1ftEY0[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	7FBE5C45678D25895F86E36149E83534	173D85747B8724B1C78ABB8223542C2D741F77A9	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB7gRE[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1FCA95AEED29D3219D0A53A78A041312	5A4661CCF1E9F6581F71FC429E599D81B8895297	4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBH3Kvo[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	FDC96E25125ACA9FAA9328286DF59A3C	AE96A116A24EC53C3D1E2F386435F6CE6B6B6F08	201E3277C624BCFDAF85CA20EE8BA8A22D8D3BFF44FDAD41FC23CB07AE0E9A40
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\a8a064[1].gif	GIF image data, version 89a, 28 x 28	3CC1C4952C8DC47B76BE62DC076CE3EB	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\de-ch[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	408DDD452219F77E388108945DE7D0FE	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\e151e5[1].gif	GIF image data, version 89a, 1 x 1	F8614595FBA50D96389708A4135776E4	D456164972B508172CEE9D1CC06D1EA35CA15C21	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fefc2984-60ee-407b-a704-0db527f30f53[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	9825025914DDDB50A9ABF954276E9631	BBDA4E7E92A5FDA3504216B63441C94EB7F7F9AE	447ECC4AE7E9B16037B19681709BA178848FB2971B511DBDE5B3A44D9A34B79D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\iab2Data[2].json	UTF-8 Unicode text, with very long lines, with no line terminators	69E873EC1DB1AA38922F46E435785B61	0E17DD5D16C19D40847AEEEC9AF898BB7F228801	D90C45999873C12E05B6A850C7C5473E1CB3DA9BD087DB5F038F56ABD65F108C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otTCF-ie[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	6E60674C04FFF923CE6E30A0CD4B1A04	D77ED2B9FA6DD82C7A5F740777CC38858D9CBDDD	48221F1DE0F509D6C365D9F4BA1D7DB8619E01C6BC4AC8462536836E582CDC66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\tag[1].js	ASCII text, with very long lines	A97B07A6676EE93D511B0C92170210A8	45414FAEA118B5F711F5378B3EE93D82536C2BBB	2D90F176EF387A57A979060ACF26C0DE8F15ACEA4E251846BBC234D84C7813A0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAMqFmF[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	DE563FA7F44557BF8AC02F9768813940	FE7DE6F67BFE9AA29185576095B9153346559B43	B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARkL8h[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	578B116678B72272439230A0C549BFC6	8BE6E8A2A519A70AB9CCA1BDA753C4CB8DA01D69	CAC42425E1B679517E84258E10633CA542A9AB1C6511F547B0A4A45372824E2D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlK6L[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	8D9D60F40D226A1B91B1D82B4E197364	1D33CB602EC3A64596A1B88920B0CA9DB66913AA	B9FE618C81EABA2B88F98A805D75920936FD2953DB7BCE28FDA6E108B2AD4918
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlKcO[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	C4B164FE46F51EBA4B41349287181C25	A6750F61141BCAA71D03CC2135CBEF79395B377E	781B819F8341A1B8A41719780A7E4F83973DC9FE76A5D47F57BF76169E7D0A9D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlY5u[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	55AB93058C68A6E73DA3ECC8BD20A676	934FBA89D0F813FE652ED149E3722337E27E5594	0AB05AF1DDDED42EB51CA2B9E63D0CDF550D75B3E0BBB2527FAB4B13596715D1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlk9e[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	366C30F6D8E2BB55F6E205E2CDE0D050	696CE40E44016525957F3B97C8E2956FA2485C3F	B00CCA86CAD14B89A75B8B59ED62891C20F869009FF31F82068F2E4A669EBBA3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARm0KA[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	473D9F4FBBE38D69FB614F4E17FA3C4C	D068380DF2E119A3519DD4BCA5E0997A70FD52DF	9CCB4E1D032592F123DC16EE5644532204B17AB0826940388ADCFCB069624768
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARm3Az[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	ACA2AE200D9C82D4C26215F1A004CB6D	0301B1E2CEA12E01B907D42BB612945313864E39	4C7839B338CB8A34E323BDD513226E6C521FED55BB81709714E0E79CB36394B9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARm3dD[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	6CB8D90F705B675440AD6626BD0FA9BC	C31E88BE289BEDFB1D486F7410F1CE6565F38891	40EA47258D125C8DCD98515DD9E31A002E6A62B3F853291F984DFDA24D993D84
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARmbBr[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	CFAF2D02A2CE69A88B7A9C7568A8D9BA	36597D8F034534C2E56CF3EEC5D90CD25B8F3821	349958F48882EDC780B1E9B98AEE16A68AA89DBE5772EF95795A05A93DF07A58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAuTnto[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1472AF1857C95AC2B14A1FE6127AFC4E	D419586293B44B4824C41D48D341BD6770BAFC2C	67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB6Ma4a[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	C144BE9E6D1FA9A7DB6BD090D23F3453	203335FA5AD5E9D98771E6EA448E02EE5C0D91F3	FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBVuddh[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	636BACD8AA35BA805314755511D4CE04	9BB424A02481910CE3EE30ABDA54304D90D51CA9	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[2].htm	ASCII text, with no line terminators	AA0EC763639C9094D9BE1B0D491AC65A	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors	4123CE1E1732F202F60292941FF1487D	9F12B11BDE582DAE37CE8C160537D919C561C464	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\http___cdn.taboola.com_libtrc_static_thumbnails_2b0a39109a3b849d0b2174b409fe1c7f[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	197A03EC48C7736F48FA984C7564D0C9	A8047CE3053AB231A7BB25CCC266F7B7DD73DE79	1FCD54C1A81EA4E12DE46837A462A18B5C2D1D8E91BB70DF30ED6D7BD2AF3296
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\http___cdn.taboola.com_libtrc_static_thumbnails_d3afd4e88e658af134b18abda7a3ae2a[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	0DF2DA0F8682207643EFE54E051B3255	0041444ECA27AAFD4E61B54776087FBEE1E13B79	C404205A7BB1E743C39853785E55906A1105A2B62FF2CDA3B491B7788076F5B9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_images_b21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	DD7244B16D672B19F4A18DEAC0082D37	E660187255E677C4E3E02BF9F3A01110567D8A8F	D0C6CC08540505F20BA694D4F1B71B6FFC9BFA9C4EC885F22A4C54A1E1952F09
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[3].htm	HTML document, ASCII text, with very long lines	B75F1F31AEE60C590AFFDEF61A0486D0	01B275FCEF613032C33B81EE01ECF627CF208154	4B0FB16C6ACC62B4CF39C6AA4B0CFBC274D432B9105601B26779E8714D8CF9A0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[4].htm	HTML document, ASCII text, with very long lines	70FAABAA76E99497CFE18F3B85F4B109	792079F3AF5E9146E64F25DD60F04C036E7CA762	FF6E18E0557D88C51DB7C72B41976BFBD5F2AA3D5E9D77608248E906B49061AE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\nrrV52461[1].js	ASCII text, with very long lines, with no line terminators	9C4A60B2332E94D3BFF324BD8DF61A31	6245D60C273E175D3EC798CE8ABB65AD75F24E09	8C38115211EB4E291CE6F38629C8AEE0F882EBED06B66F3DB3D6587C1EBDF52F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	56B5E93BFB078B9EEF2BA41DB521EA9B	A61A4949BCBCA6B8148CC6821D7CF88FBD90062F	B8603101616C7960752244D2EC66D2A845BBE0094B83E7CC2877880A3A93402D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otSDKStub[2].js	ASCII text, with very long lines, with CRLF line terminators	0D2A3807FB77D862C97924D018C7B04C	9D17F3621001D08F7B98395AC571FC5F6CDA7FEF	75DE71E7FEAC92082AF2F49B7079C0B587B16A5E2BB4DABDA7E7EB66327402FB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\px[1].gif	GIF image data, version 89a, 1 x 1	AD4B0F606E0F8465BC4C4C170B37E1A3	50B30FD5F87C85FE5CBA2635CB83316CA71250D7	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\th[6].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3	906DD8716D280AC1FDBBC82ABF7F3DDA	C87DBCA394C50603EFDC7E8352054022C1C4A2E1	A1D35A9272E9303913DDC4BB44C9E833294A4A8930C657A47FBF49134BB34705
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\17-361657-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\4996b9[1].woff	Web Open Font Format, TrueType, length 45633, version 1.0	A92232F513DC07C229DDFA3DE4979FBA	EB6E465AE947709D5215269076F99766B53AE3D1	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\55a804ab-e5c6-4b97-9319-86263d365d28[2].json	ASCII text, with very long lines, with no line terminators	073E1A67C16B7E2B0F240F20BAC53174	778663FBA0201814BE193EB38E4F9D8875F322ED	886E0D5D43DFB17D92EB8C5C80AB0671ED9DE247EC4AD9D71B358F32F7613287
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AA5Wkdg[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	92496B0E07883E12CD6EA765204137CD	5F11C47C9D4D6A52DA90F2F2BA1AFFEB40E8C2C1	C1F7888A82E3D3DD5E7190E99EC61FE4608399BEAA0EB5A52A32FE584E639015
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOdxvW[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	F2186DFE6F4836465043A993391B84C5	C595247171C1DD8D73429B0C58773C5E177106C5	710EFEEA80DBB97B005C47E34341F00ABCD3345A5756EC967A6D1D6D06094B22
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAPXV6f[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	B43D172214BFE87CA52255744EC5929C	43C790A53D899DEB39D6EAF5FB449953282D10E8	54BE96E34C36759FF69E882E176B4B49FD52B87B08E658F6544B367207B1B624
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARlT6t[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	340BFB899577FB3ECEE01F7D6D6E4092	5147A83FF358DF2E5CBE9F0E0C1AA61DE2A1ECC7	74D8EA022201B7A5D06A0F9F91A5DD460F6719D62C75A9587172B843712814C0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARlmVR[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	D3221B6BE6AC204663C8AD2095756C57	74EF52722F924E4289B83D6A2BCA3EE2F9FE87B8	D1177AA2D9C644C3AE5A1571DA4DA613F9F9597C758699F57ED04D6D4FD1A74D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARm1Gs[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	0F4FA917421E275C28C184302D26CA14	7BF475813898F175F254596D123DC66DAF611343	8B8266F23049264186EBE13144D27ABC4BF13C3B24B50DCA313A8477077F2DD9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARm2bN[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	900E1199E0C2CC72071E7647C3FDCE50	AE3CB08FAE723528493547680979A385CDBDA9D5	B55C3A59F5ECEF42D8446208CF7779AE9759B7B3A66A5D32A14B245570E912E3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmger[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	5569435E24021161E5537D6E151302B1	70C044A067C3CFCB9C529E65BD1FB7ACDAD5A8FB	CF4B1A74D642B6845A5EDF8D1EEED9E2FD6EBD019292610EDF293F3C656926EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmlyN[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	03D20B002D9CF535697BDF4BC79ACD59	F5FFCE9F64222A858EE12EC6CD2075EDFB32DBF6	1A049AC7D4A23FE58BA413E2CE7BB72E02146AFC14D1D3DE20031E1A39D54AC2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmvNW[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	DED662CEDE6DB81BCB013B72209AE3C2	6D804D44A171F6CBC4F15DA3F0C19707519EA2B6	67A0EA105B4BF9D869F97309CD53EFB90BA2F26C51A52CD975EBC314B7A1A39F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmyym[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	804EF9D52496634B39D27D61B75ADADD	CE5CD83EAF9BF2BD8964D1BFFF5B5F89D87748AD	12614527481A9B39F59FF6E4F56546BAC608E5DF63EA94F41ABE8400DA051709
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB7hjL[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	F810C713C84F79DBB3D6E12EDBCD1A32	09B30AB856BFFDB6AABE09072AEF1F6663BA4B86	6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a5ea21[2].ico	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	84CC977D0EB148166481B01D8418E375	00E2461BCD67D7BA511DB230415000AEFBD30D2D	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\auction[2].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	76D08E8723577A159DDF16EC66091C4D	48FD3D196AD0C6CC1ECEC310D3C26227FB42CD7D	03E65B084BD04740A4C6E270FBFEA229234E9F60A87E9EC03568D9270B52B1EA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\cfdbd9[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	FE5E6684967766FF6A8AC57500502910	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[3].htm	ASCII text, with no line terminators	AA0EC763639C9094D9BE1B0D491AC65A	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[4].htm	ASCII text, with no line terminators	AA0EC763639C9094D9BE1B0D491AC65A	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[5].htm	ASCII text, with no line terminators	AA0EC763639C9094D9BE1B0D491AC65A	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otCommonStyles[1].css	ASCII text, with very long lines, with CRLF line terminators	E4F88E3AF211BD9EA203D23CB0B261D5	6067E95844B3E11A275ADD0B41D7AD3F00A426FD	E58322F14AC511762E2C74932104D7205440281520CF98E66F15B40AA8E60D05
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otFlat[1].json	ASCII text, with very long lines, with CRLF line terminators	0097436CBD4943F832AB9C81968CB6A0	4734EF2D8D859E6BFF2E4F3F7696BA979135062C	F330D3AE039F615FF31563E4174AAE9CEAD8E99E00297146143335F65199A7A9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otPcCenter[1].json	ASCII text, with very long lines, with CRLF line terminators	928BD4F058C3CE1FD20BE50FE74F1CD8	5CBF71DB356E50C3FFCB58E309439ED7EB1B892E	6048F2D571D6AE8F49E078A449EB84113D399DD5EA69FB5AC9C69241CD7BA945
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\2d-0e97d4-185735b[1].css	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	24D71CC2CC17F9E0F7167D724347DBA4	4188B4EE11CFDC8EA05E7DA7F475F6A464951E27	4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\52-478955-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines	635C7C1B8F0A7A5B28EECA13824ABA3C	84340599D2873DCCED885061C40C89DE26228F3A	C1478CDAFDCA1FC46CF5BC326FD291913C4922D53D97291612F9243626950FBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AANuZgF[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	93D77F5C5FFACEBA12A1ABFC6190B947	8001474A7342EBF760C66F1C30E48E32E00F2AF3	E6DA934C90931C6089ADB3D213DDD70C7104D0A182A98AB1C663CEDAE37F83A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAPFmi4[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	6F93C3616FBC7B9E97E87E718DF27B14	33F4B22E6C3DC6E9A2BDE8BECC3FC20D2F90A1B3	DFCE8AE7B7C17FE90C55D7EE093936137DD0528FC4CC5BACDB5ED071FD2E312E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAPwesU[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A89DEB9BD9C12EE39216B4724EF24752	F3410A1069610A57CA068947F1A77F73B9B20FDA	7438061CAC6A152A15BD67057926404DB423936B22635A1902B0BF54C4B14464
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAPwrS4[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	BD4DAB976E44AB21C770DE6EBC9F620C	61D80892172A51C39CB605065CD7971D093EFF16	9EB1FDAB9D3AFBEC190C1BDD7172F14B427BDD0222230302C7C7B7068CF3B39E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQby46[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	2F9F3CB5388BCD08347366720CE5D288	A39BAC27D57324389B7B65180D231A9030494616	8E87ACBF78E18EEF07524A2EDB0100BBBF77213CC16227046411F1EEBB6727F4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARjTo7[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	FF1D15E36A45BA83633203F3B7E2862A	5008B7735E8052005CE52C52C3DAFF40FAEB8F23	860A18697195EA174D2B23E29AB5DA22F4B9D10616209F17AEE699E8F705FC3A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlAXA[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	5A202D316270FE5C61E76FD64123CB49	D4E21887B048C7206EDC7C77814854C0E44716FC	2D53A045AC74C4F569011108FFC8641118B0B0C40354DBB14A9379F2723AA564
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlAkD[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	ED9E7756DA4E8726E15FF66EEA29B2EB	9F63B24C827126AA83B9BC9C315F00FEA31037DA	3DF630B2AA42669FFD5CA509740C633CA327AB83CF1A909F387F00EA81E299B4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlJ4T[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	03E41B958B2CE9B85DF99739D9BFB1BD	94AD4724995A11494A4C451B22F64433A632244F	9DB5B13FD53FDB6194508D8165FB4398E5C30056821F1F3BF05714C6AF002803
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlKWc[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	DCAAC6130178287D76BEE0375179566C	3FC6252AD8A892A59D1BDB8FB460F87A17473EE7	B93BBCE0B5F29D5420F5519D99516B957998350AF3CBFC80C1340D07E8257625
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlMfv[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	0EFC457805D9933D79528CBF37B6CF87	6A893F0CD657D76B1802882F8539C52DD005FAA0	F0C6D41D0FB2C506180994702FD0A3E54864D77ED329170A2C0E54F8F527F986
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlNEA[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	A204DC197046409012D95FCFD2F804D8	6018513305B0F74F6065AC89380FF3222B52A9FE	CB82F8E195A6FB6A048349BFC701A4698FC180DCCFB7C9CCE0F131A71E4CDA91
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlOdR[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	7E294C6F8BDD4CB3A97E18D1F19D5D67	01576D3E144E7E8A3BAB9F4F571EEABAD8CB3A92	71226FFB7996D891601262EE523358711BD6228B6DD5CBCBE981BC63A1C68F15
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlU0z[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	12AFA60C6BFF7191CCBFE07C15E77BE5	3732E2ED2152788559F5CE3659F5AC1675B51C8D	9DF0E6C72F4D9C326FCDA6931E206E278115CF9E36031263D82C14CC4913A882
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARluon[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	2FFFD594494C78F318CC351DF07DC03B	37628AEF2493DD8416FEB90CA0FFE49436B07A7F	FE623CDC070C20588BFA3A26460A8C1749B9C1D3C7B51FED903764A52B6E97C5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARmdP1[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	F3A4BDE457B3B12B70ECA3724C9A597D	5F25A0E1B73298184CA6CD2052445AA3399385F5	8E8127EE05A1B8C629B0E515066C9D3E8835BC0AD7134628CE6D3BAA887754DE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1aXBV1[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	D858BE67BEA11BF5CEC1B2A6C1C1F395	6090B195BEF6AF1157654048EECEA81E2DCEC42A	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cEP3G[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	24F1589A12D948B741C2E5A0C4F19C2A	DC9BB00C5D063F25216CDABB77F5F01EA9F88325	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cG73h[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	D1495662336B0F1575134D32AF5D670A	EF841C80BB68056D4EF872C3815B33F147CA31A8	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1gyTJJ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	4DF8DD6D0F07C93CF4BDAB709C312993	3D7987EF7E126936328E337FD3A8E06485C4BB2F	CF09AC32AAE02628FDF2FBDFC551BC13E68F2B3365E4EF52B36B35825624BFBD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1gyWh5[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	67E55E01B3746273C0D6440E0229464B	B0EFBEF2F457E3C497F77D9ACEFE845CD9446801	4441E3858AFDA9EA55051473DF78DD2F23BF21CAD83492CBFF9C032CEBA1F657
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1kKVy[1].png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	2FAD21634CA0EC2AEF0D32E72748CCFB	4D4727E108164985D0722A32035F58FA0BDAD19E	A8FD087BD67E5CEBC1B90AB2E4DD94847B947B849EEBDE4E816DF54ABE66C589
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBK9Hzy[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	163E7CEBA4224A9D25813CD756D138CC	062FFF66A1E7C37BAE1ECE635034A03C54638D50	14525F17E552171DEE6D57C932287048185BE36D9AC25DA79CB02AD00657DEAF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png	GIF image data, version 89a, 50 x 50	59DAB7927838DE6A39856EED1495701B	A80734C857BFF8FF159C1879A041C6EA2329A1FA	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBX2afX[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	4AAAEC9CA6F651BE6C54B005E92EA928	7296EC91AC01A8C127CD5B032A26BBC0B64E1451	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	C4F115B993E373B2BFC29AEF434EFB02	B3B05D82602A16968816DCEAA4BB1D968CD7543D	2A7F881E0204ADBEE3FE0585222BCFE93691BC27C4454C322F382FB09E844CD4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery-2.1.1.min[1].js	ASCII text, with very long lines, with CRLF line terminators	9A094379D98C6458D480AD5A51C4AA27	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
C:\Users\user\AppData\Local\Temp\~DF1A577BCFE6731D96.TMP	data	03B22A2094965F3EEC2018075D9D9F24	1A234F96957936080DC9DCD3D3869D6CDD6B8E0D	2E33C98F48F45BE3BD44311E482127392BE05049D030D58E37AE20FC2BA02817
C:\Users\user\AppData\Local\Temp\~DF9599588B5779AF51.TMP	data	9FFCF967410609EAB508F254E7CA6AA2	061671A355104728137C16CDEC077B7312545F36	A3EC8754D1131E7E3F9E35A5EA52257B5CAE7686F3F4355DA048AC16F4A30E98
C:\Users\user\AppData\Local\Temp\~DFA7B565ABAC8E893D.TMP	data	478C9E1F691F0F74ED97B9898C644843	C17D0108C40DD9B82DE801416268908C9BCD51AE	CD86D84E1BB56F8CCE5E1E4621DA2A784E612286E11AB92AE8AD4EE95EFC61A3
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	500A0BEDCBE89DD088B9FBB72E49F841	826F587A55FBD5C1DE90795C884A2B9F167AE98C	88CF82074168E904088D5437C57C6E2DBD38671897F7C73068EDD42B829E3003
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211203_084238_999.etl	data	65D4E3B952A322EAB131E1297B1AB831	C8D371B0D1AAE7CD0F05A69B5453295C5AFBD3B2	B32A26106162C46415103F82C6B4BC9220EA06F8733A2E62AAD9D98E0C8A3552
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	BE2174AD7A8605149FE32856CD963C94	DE8E3156996E4D177492273FCE5C3AF5D90580D1	F659C39891FACCE6196DC5EBC1D2E69E6AB7BECDBC8ABC32F5E09F6D56220D8A
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	EF3C13416F984D253533825BE01C2C17	11770C267845EF116FC23A282F1212D1BFA94F54	3197029C9CF871064115B7DFCC1630F7A69267AB87791B94218C412FBD447068

Windows Analysis Report Bccw1xUJah

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs