Windows Analysis Report mATFWhYtPk

AV Detection:

Multi AV Scanner detection for submitted file

Source: mATFWhYtPk.dll

Virustotal: Detection: 25%

Perma Link

Compliance:

Uses 32bit PE files

Source: mATFWhYtPk.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49803 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: mATFWhYtPk.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F22B531 FindFirstFileExA,		2_2_6F22B531
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F22B531 FindFirstFileExA,		3_2_6F22B531

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 23.211.6.95 23.211.6.95

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Found strings which match to known social media urls

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV" > equals www.linkedin.com (Linkedin)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf48ae3b0,0x01d7e821</date><accdate>0xf4a9e53b,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf78f5b13,0x01d7e821</date><accdate>0xfb03e25c,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfb502d4d,0x01d7e821</date><accdate>0xfb6f2be4,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: svchost.exe, 0000000C.00000002.911297448.0000020000062000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.911297448.0000020000062000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: {F0A62C50-5414-11EC-90E5-ECF4BB2D2496}.dat.4.dr, ~DFF3249FCAE5CBA117.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=273363&a=3064090&g=24940322
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DFF3249FCAE5CBA117.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {F0A62C50-5414-11EC-90E5-ECF4BB2D2496}.dat.4.dr, ~DFF3249FCAE5CBA117.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {F0A62C50-5414-11EC-90E5-ECF4BB2D2496}.dat.4.dr, ~DFF3249FCAE5CBA117.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1638488541&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1638488542&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1638488541&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {F0A62C50-5414-11EC-90E5-ECF4BB2D2496}.dat.4.dr, ~DFF3249FCAE5CBA117.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AARlHk9.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFF3249FCAE5CBA117.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-2025-gibt-es-einarmige-banditen-und-roulette-in-der-lokstadt
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/altkleider-nur-noch-in-stadtz%c3%bcrcher-sammelstellen/ar-AARos
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-best%c3%a4tigt-ersten-omikron-fall-in-z%c3%bcrich/ar-AAR
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-verteidigt-finanzielle-beteiligung-am-kunstprojekt/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&utm_
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/kochendes-wasser-auto/?utm_campaign=DECH-cardent&utm_sou
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netIf-None-Match: "af9b4812e53e25fc57a13f41f6790ac9"Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netIf-None-Match: "e68781cdaae1574dce2fccfea5cb29e3"Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bping.php?&gdpr=0&prid=8PRVV7640&cid=8CU157172&crid=858412214&vi=1638488555656014322&ugd=4&lf=6&cc=CH&sc=ZH&lper=50&wsip=2886781044&r=1638520979551&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&vgd_l2type=setting&vgd_sbSup=0&vgd_is_amp=0&vgd_asn=60068&vgd_rakh=1638488555181756319&vgd_l1rhst=contextual.media.net&vgd_rpth=%2Fmedianet.php&vgd_pgid=p11306311666t202112030842&vgd_pgids=1&vgd_gdprcs=1&vgd_uspa=0&hvsid=00001638520979548014104136331645&gdpr=0&vgd_end=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lg3.media.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=6&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=1%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /rtbsmpubs.php?&gdpr=0&gdprconsent=1&usp_enf=1&usp_status=0&cid=8HBI57XIG&region=nv&ptrid=8PR68Q253&requestString=670468743*4%7C300x250%7C8CU157172%7C858412214%7C&crid=670468743&sd=1&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&bl=1&rt=5&dn=https://contextual.media.net&https=1&act=headerBid&prvReqId=655139198087331261638520979902&erTr=0&hlt=1&ugd=4&adt=desktop&tr=0.17810036448631755&ndec=1&scrsize=1280x1024&taginfo=%7B%7D&pageinfo=%7B%22vw%22%3A284%2C%22vh%22%3A271%2C%22ph%22%3A271%7D&itype=HB-CM&cc=CH&rc=ZH&ct=ZURICH&bt=1&gcp=1&isRefresh=0&callback=window.hbCMBidxc.rtbsheaderBid3S0 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=1%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=2%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /rtbsmpubs.php?&gdpr=0&gdprconsent=1&usp_enf=1&usp_status=0&cid=8HBI57XIG&region=nv&ptrid=8PR68Q253&requestString=976531914*4%7C300x250%7C8CU157172%7C722878611%7C&crid=976531914&sd=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&bl=1&rt=5&dn=https://contextual.media.net&https=1&act=headerBid&prvReqId=695089110086948631638520986847&erTr=0&hlt=1&ugd=4&adt=desktop&tr=0.519716239585557&ndec=1&scrsize=1280x1024&taginfo=%7B%7D&pageinfo=%7B%22vw%22%3A284%2C%22vh%22%3A271%2C%22ph%22%3A271%7D&itype=HB-CM&cc=CH&rc=ZH&ct=ZURICH&bt=1&gcp=1&isRefresh=0&callback=window.hbCMBidxc.rtbsheaderBid3S0 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=2%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /803288796/fcmain.js?cb=window._mNDetails.initAd&&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1638488555656014322&ugd=4&rtbs=1&nb=1 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=4%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=1053&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=4%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=7479&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=4%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /log?logid=awlog&pid=8PR68Q253&itype=HB-CM&dn=msn.com&cid=8HBI57XIG&svr=2021111013_170&servname=hbcm_na&gdpr=0&csex=0&suc=0&csstr=&tcf_cmp=&tcf_status=&tcf_prp=&usp_status=0&usp_enf=1&usp_string=&ufca=&usp_ldf=&ugd=4&adt=desktop&vid=00001638520987300014104136333773&vsid=&sd=1&gtd=400&inid=0&gfd=&cc=CH&sc=ZH&ct=ZURICH&abte=CONTROL&adbd=0&amp=0&version=1&sB=false&cors=true&disB=false&ice=&vw=284&vh=271&pht=271&cl=&__rk=0&app=0&rtype=&vendor=&isSafari=0&lbr=0&floc_id=&floc_ver=&id_details=&mnkv=&pabte=&pbcm=0&pvid=4&prvAccId=858412214&prvApiId=8CU157172&exid=31&pcId=&pseat=4-BID_API&mowxReqId=655139198087331261638520979902&crid=670468743&g=0&size=300x250&sec=&chnl=&prspt=headerBid&rfc=0&tref=0&fpuReq=1&plcmtt=0&rtime=46&dtc=nydc&rtbsv2=&mp_seg<>=44412%23%2315390%23%2315718%23%2317218%23%2328447%23%2333721%23%2354934%23%2353492%23%2360148&apid=1&wsip=c10-mowx-prod-1&ltime=7221&abs=0&ae=0&ftr<>=&ssregion=&ssreqid=&sssvnm=&bdp=0.02&cbdp=0.02&dcbdp=0&ckfl=0&cs=&mnet_ckfl=0&cat=&attr=&pvAgNm=&pvAgId=&advId=&advNm=&advUrl=unknown&dfpBd=0.02&nms=1&di=&dt=O&epc=858412214&ogbdp=0.02&s=1&snm=success&dbf=1&bdata=sd2%3Dnull~bb%3D186~vv%3D0~erpm%3D0.03~ogerpm%3D0.03~MFB%3D2jo~smm_bid%3D0.02~bm%3D1~smm_sd%3D2021120121~sid%3D858412214~sd%3D1~uid%3D2IaaJtXbXqos4SCzmA~dc2%3D1~btd%3D14241703836931763290446355943300556902506328540099388593272215750316032~scd%3Dzh~uim%3D464908~url_tkc%3D0~ss%3D1280x1024~uiw%3D100~ce%3D1~xgb_sd%3D2021101600~last%3D0~CI%3D2624~ip%3D1xrX0Z~fbb%3D0~riipua%3D0%2C0~xgb_nt%3D101~nts%3D1~tb%3D-1~et%3D27~ct%3Dzurich~rc%3D6%2C0~basis2%3D196~url_b%3D0.03~basis1%3D196~isRef%3D0~lc%3D0~url_tvi%3D0~smm_wr%3D2.2127~url_l%3D50~xgboost_b%3D0.92~bid%3D0.02~xgb_b%3D0.92~dc%3D8~gcat%3D500884~ogbid%3D0.02%7C%7Ccbdp%3D0.02%7C%7Cbflag%3D0%7C%7Csobp%3D0%7C%7Cddiv%3D%25%25DFP_DIV%25%25%7C%7Cdmm%3D%25%25DMS_STRATEGY%25%25%7C%7Cdtc%3Dnydc%7C%7Cabte%3DCONTROL%7C%7Chsw%3D%25%25HAS_SECOND_WINNER%25%25~ibc%3D1~ddt%3D-1~nsz%3D1~tgs%3D300x250~bsb%3D0~bsp%3D0~tmx%3D200&cmpid=&bId=&pcrid=8CU157172-858412214-48-14&ruct=0&brs=&brr=&iurl=https%3A%2F%2Fiurl-a.akamaihd.net%2Fybntag%3F%26cid%3D8CU157172%26crid%3D858412214%26size%3D300x250%26requrl%3Dhttps%253A%252F%252Fwww.msn.com%252Fde-ch%252F%253Focid%253Diehp&htps=0&ptype=27&pbidflr=0.00&exp=sfl%3Dfalse%7CssBucket%3D0%7Cbfl%3D-100%7Cclt%3D0%7Cfl_rl%3D1%7CssProfile%3D0%7Cdbr%3D1%7Ctkd%3Dnull&bfs=0&seat=BID_API&nbr=0&ba=31&ybnca_gbid=&ybnca_erpm=0.03&ybnca_vbid=&yogbdp=0.02&yErpmFlag=0&smsrc=1&strg=&ybnca_bbid=&prvReqId=76112239762996859_53175729_670468743141&dStat=0&ogbid=0.02&acid=340954286069640181638520979899&act=headerBid&dtfdl=&dspltime=&ttfd=&ttm=0&vtm=0&sttm=0&svtm=0&mnrfc=0&mnrf=0&invw=-1&adj1=0&adj0=0&adj2=0&adj3=0&patkey=&patint<>=&pc=&spSource=0&spIvt=3&spId=&spFst=0&spIsReq=3&spTo=3&top=0&btm=0&lft=0&rght=0&mx_SD=&mx_PC=1&mx_SPRIG=1&mx_UCC=2&mx_lr_seg_cnt=0&mx_GCID=0&mx_IAB2=1&mx_ip_exp_verd=&mx_vsGap=&mx_epbc=8CU157172&mx_bsBucket=0&mx_ssProfile=0&mx_lr=0&mx_g_one_uid_sent=None&mx_uid_sent=0&mx_yhs_enabled
Source: global traffic	HTTP traffic detected: GET /log?logid=awlog&pid=8PR68Q253&itype=HB-CM&dn=msn.com&cid=8HBI57XIG&svr=2021111013_170&servname=hbcm_na&gdpr=0&csex=0&suc=0&csstr=&tcf_cmp=&tcf_status=&tcf_prp=&usp_status=0&usp_enf=1&usp_string=&ufca=&usp_ldf=&ugd=4&adt=desktop&vid=00001638520995419014104136339406&vsid=&sd=2&gtd=400&inid=0&gfd=&cc=CH&sc=ZH&ct=ZURICH&abte=CONTROL&adbd=0&amp=0&version=1&sB=false&cors=true&disB=false&ice=&vw=284&vh=271&pht=271&cl=&__rk=0&app=0&rtype=&vendor=&isSafari=0&lbr=0&floc_id=&floc_ver=&id_details=&mnkv=&pabte=&pbcm=0&pvid=4&prvAccId=722878611&prvApiId=8CU157172&exid=31&pcId=&pseat=4-BID_API&mowxReqId=695089110086948631638520986847&crid=976531914&g=0&size=300x250&sec=&chnl=&prspt=headerBid&rfc=0&tref=0&fpuReq=1&plcmtt=0&rtime=48&dtc=nydc&rtbsv2=&mp_seg<>=44412%23%2315390%23%2315718%23%2317218%23%2328447%23%2333721%23%2354934%23%2353492%23%2360148&apid=1&wsip=c10-mowx-web-43&ltime=8567&abs=0&ae=0&ftr<>=&ssregion=&ssreqid=&sssvnm=&bdp=0.02&cbdp=0.02&dcbdp=0&ckfl=0&cs=&mnet_ckfl=0&cat=&attr=&pvAgNm=&pvAgId=&advId=&advNm=&advUrl=unknown&dfpBd=0.02&nms=1&di=&dt=O&epc=722878611&ogbdp=0.02&s=1&snm=success&dbf=1&bdata=sd2%3Dnull~bb%3D186~vv%3D0~erpm%3D0.04~ogerpm%3D0.04~MFB%3D10K~smm_bid%3D0.02~bm%3D0.9~smm_sd%3D2021120121~sid%3D722878611~sd%3D2~uid%3D2IaaKnuVnvziDdNYpZ~dc2%3D1~btd%3D14241703849787268410763125577306022343800731350682634986482226645438464~scd%3Dzh~uim%3D466966~url_tkc%3D0~ss%3D1280x1024~uiw%3D100~ce%3D1~xgb_sd%3D2021101600~last%3D0~CI%3D2624~ip%3D1xrX0Z~fbb%3D0~riipua%3D0%2C0~xgb_nt%3D101~nts%3D1~tb%3D-1~et%3D28~ct%3Dzurich~rc%3D8%2C1~basis2%3D196~url_b%3D0.04~basis1%3D196~isRef%3D0~lc%3D0~url_tvi%3D0~smm_wr%3D2.0898~url_l%3D50~xgboost_b%3D0.92~bid%3D0.02~xgb_b%3D0.92~dc%3D8~gcat%3D500884~ogbid%3D0.02%7C%7Ccbdp%3D0.02%7C%7Cbflag%3D0%7C%7Csobp%3D0%7C%7Cddiv%3D%25%25DFP_DIV%25%25%7C%7Cdmm%3D%25%25DMS_STRATEGY%25%25%7C%7Cdtc%3Dnydc%7C%7Cabte%3DCONTROL%7C%7Chsw%3D%25%25HAS_SECOND_WINNER%25%25~ibc%3D1~ddt%3D-1~nsz%3D1~tgs%3D300x250~bsb%3D0~bsp%3D0~tmx%3D200&cmpid=&bId=&pcrid=8CU157172-722878611-48-8&ruct=0&brs=&brr=&iurl=https%3A%2F%2Fiurl-a.akamaihd.net%2Fybntag%3F%26cid%3D8CU157172%26crid%3D722878611%26size%3D300x250%26requrl%3Dhttps%253A%252F%252Fwww.msn.com%252Fde-ch%252F%253Focid%253Diehp&htps=0&ptype=27&pbidflr=0.00&exp=sfl%3Dfalse%7CssBucket%3D0%7Cbfl%3D-100%7Cclt%3D0%7Cfl_rl%3D1%7CssProfile%3D0%7Cdbr%3D1%7Ctkd%3Dnull&bfs=0&seat=BID_API&nbr=0&ba=0&ybnca_gbid=&ybnca_erpm=0.04&ybnca_vbid=&yogbdp=0.02&yErpmFlag=0&smsrc=1&strg=&ybnca_bbid=&prvReqId=5651415265142258_1006712733_976531914141&dStat=0&ogbid=0.02&acid=154704099775382721638520986219&act=headerBid&dtfdl=&dspltime=&ttfd=&ttm=0&vtm=0&sttm=0&svtm=0&mnrfc=0&mnrf=0&invw=-1&adj1=0&adj0=0&adj2=0&adj3=0&patkey=&patint<>=&pc=&spSource=0&spIvt=3&spId=&spFst=0&spIsReq=3&spTo=3&top=0&btm=0&lft=0&rght=0&mx_SD=&mx_PC=1&mx_SPRIG=1&mx_UCC=2&mx_lr_seg_cnt=0&mx_GCID=0&mx_IAB2=1&mx_ip_exp_verd=&mx_vsGap=&mx_epbc=8CU157172&mx_bsBucket=0&mx_ssProfile=0&mx_lr=0&mx_g_one_uid_sent=None&mx_uid_sent=0&mx_yhs_enable
Source: global traffic	HTTP traffic detected: GET /803288796/fcmain.js?cb=window._mNDetails.initAd&&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1638488555296348136&ugd=4&rtbs=1&nb=1 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=4%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /bqi.php?lf=5&&vgd_l2type=setting&pid=8PO8WH2OT&cme=wKMzE5aEf1C7W8c2Zu-wR6W8-LV6OuNn5M8-l7xIv5OFVIrj5gO7h1h0qwkXsk1YkKHiWm6OwnS8YdF7hxOqVy4gI-Di5bXqA_L7Nj1Gg-bLo1QZupPE9_lkGVq8LafeqNrLclh8bDzLkZpLway17PoLJDHoGdSHRiqjLFunN_rSbZHJFAjGFIv7F87z8XmJ-E7BhMXbxjXouwQLvaGa-ShCB3oRwwh8||NDHRnZ9Gz3KXlI-i9OnZqQ==|5gDUJdTGiJzedmq9hanWYg==|sRBSg3CPSiQ=|YdjFvixrVaHKWoanJxQ7pN1u-FbdnHzrNjhpugAcObH3UBK3ulwAWl7Dk2fLSIhhcacW0wejpmUUSEEp7HvKRQ==|N7fu2vKt8_s=|2Vo1csK06ElQVm9wtd7kmyhUd8oCSycUmnOt-CKThRGW5B7OtbhnTLfgAjgMfKS9GxuAl0hmLh7h59eRacx_zlI1mhj_yGBtc0wpPjW7ZYHmZRI-Qs46jvsASGwtenQv5_6kd41JpbzUVoJx6JhY_2c-CqKREqoxgJ7iifrLoawE2O9aRy41se9ZHO7dRZ1TuzVy17bY00rUzIYODMSLh1Pcyr8slxcI|&gdpr=0&prid=8PRVV7640&cid=8CU157172&crid=858412214&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&vi=1638488555656014322&ugd=4&cc=CH&sc=ZH&bdrid=4&startTime=1638520979055&l2type=setting&vgd_l1rakh=1638488555181756319&l1ch=1&sttm=1638520979548&upk=1638520976.1854&hvsid=00001638520979548014104136331645&verid=9999999&vgd_sc=ZH&infr=1&twna=1&vgd_hbReqId=T1638483495C8S22U926&l1hcsd=l1!N4|8028&vgd_l1rhst=contextual.media.net&vgd_gdprcs=1&vgd_uspa=0&vgd_isiolc=0&clp=%7B%7D&cl=%7B%7D&rtbsd=10&bidData=sd2%3Dnull~bb%3D186~vv%3D0~erpm%3D0.03~ogerpm%3D0.03~MFB%3D2jo~smm_bid%3D0.02~bm%3D1~smm_sd%3D2021120121~sid%3D858412214~sd%3D1~uid%3D2IaaJtXbXqos4SCzmA~dc2%3D1~btd%3D14241703836931763290446355943300556902506328540099388593272215750316032~scd%3Dzh~uim%3D464908~url_tkc%3D0~ss%3D1280x1024~uiw%3D100~ce%3D1~xgb_sd%3D2021101600~last%3D0~CI%3D2624~ip%3D1xrX0Z~fbb%3D0~riipua%3D0%2C0~xgb_nt%3D101~nts%3D1~tb%3D-1~et%3D27~ct%3Dzurich~rc%3D6%2C0~basis2%3D196~url_b%3D0.03~basis1%3D196~isRef%3D0~lc%3D0~url_tvi%3D0~smm_wr%3D2.2127~url_l%3D50~xgboost_b%3D0.92~bid%3D0.02~xgb_b%3D0.92~dc%3D8~gcat%3D500884~ogbid%3D0.02%7C%7Ccbdp%3D0.02%7C%7Cbflag%3D0%7C%7Csobp%3D0%7C%7Cddiv%3D%25%25DFP_DIV%25%25%7C%7Cdmm%3D%25%25DMS_STRATEGY%25%25%7C%7Cdtc%3Dnydc%7C%7Cabte%3DCONTROL%7C%7Chsw%3D%25%25HAS_SECOND_WINNER%25%25~ibc%3D1~ddt%3D-1~nsz%3D1~tgs%3D300x250~bsb%3D0~bsp%3D0~tmx%3D200&matchString=hr%3D0&l2ch=1&l2wsip=170721631&sethcsd=set!A18%7C8013&vgd_pgid=p11306311666t202112030842&vgd_pgids=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lg3.media.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /48/nrrV52461.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=4%7C1638520979780
Source: global traffic	HTTP traffic detected: GET /bqi.php?lf=5&&vgd_l2type=setting&pid=8PO641UYD&cme=S4_cq7T57eCIr457wnOZONsOijxuA5EygvvxEjyXm71KTilyaTdTHRWOugo0C_JUn4twsFFYarKn93u4d6Wh6HMuQsMK5wWTGu1mrmPGv06hdWu24i6BYU93PtG7z1VQdB4ux8XjUQgg7DwLdqAoOijT7cYB0PZ7NTCBf9W5LFQjtZSGcztLSxTeV8g-zadF_C34PocyUZBlJYj8v-g9knLNYbSXoCou||NDHRnZ9Gz3KXlI-i9OnZqQ==|5gDUJdTGiJzedmq9hanWYg==|sRBSg3CPSiQ=|YdjFvixrVaHKWoanJxQ7pN1u-FbdnHzrNjhpugAcObH3UBK3ulwAWiVtoHi1pupYycuLTp-eXshvuac-oX9kgg==|N7fu2vKt8_s=|f5bf1u7fLjnm37la4OqE47RtCc7tk3v3IH31-me1miPZAj1YnQwQh2PphemVXLK4fAUBKHTKZdPfBF6Z3YxbAN_GIqcUs8MdLqegLZSBCy3hsW5q2MOql5UxuUCHNLvR17Gr4GMn9bf5Jf-OYIJvVpxHv8PIWqmXdxa1VL06H2CKusOFWLZA_QmNop8hTtZlFs_wuMW5dZSm1HenepcN0cikahOsfwZT|&gdpr=0&prid=8PRVV7640&cid=8CU157172&crid=722878611&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&vi=1638488555296348136&ugd=4&cc=CH&sc=ZH&bdrid=4&startTime=1638520985695&l2type=setting&vgd_l1rakh=1638488555141945565&l1ch=1&sttm=1638520986209&upk=1638520983.26641&hvsid=00001638520986209014104136331365&verid=9999999&vgd_sc=ZH&infr=1&twna=1&vgd_hbReqId=T1638485630C8S34U173&l1hcsd=l1!N4|8028&vgd_l1rhst=contextual.media.net&vgd_gdprcs=1&vgd_uspa=0&vgd_isiolc=0&clp=%7B%7D&cl=%7B%7D&rtbsd=10&bidData=sd2%3Dnull~bb%3D186~vv%3D0~erpm%3D0.04~ogerpm%3D0.04~MFB%3D10K~smm_bid%3D0.02~bm%3D0.9~smm_sd%3D2021120121~sid%3D722878611~sd%3D2~uid%3D2IaaKnuVnvziDdNYpZ~dc2%3D1~btd%3D14241703849787268410763125577306022343800731350682634986482226645438464~scd%3Dzh~uim%3D466966~url_tkc%3D0~ss%3D1280x1024~uiw%3D100~ce%3D1~xgb_sd%3D2021101600~last%3D0~CI%3D2624~ip%3D1xrX0Z~fbb%3D0~riipua%3D0%2C0~xgb_nt%3D101~nts%3D1~tb%3D-1~et%3D28~ct%3Dzurich~rc%3D8%2C1~basis2%3D196~url_b%3D0.04~basis1%3D196~isRef%3D0~lc%3D0~url_tvi%3D0~smm_wr%3D2.0898~url_l%3D50~xgboost_b%3D0.92~bid%3D0.02~xgb_b%3D0.92~dc%3D8~gcat%3D500884~ogbid%3D0.02%7C%7Ccbdp%3D0.02%7C%7Cbflag%3D0%7C%7Csobp%3D0%7C%7Cddiv%3D%25%25DFP_DIV%25%25%7C%7Cdmm%3D%25%25DMS_STRATEGY%25%25%7C%7Cdtc%3Dnydc%7C%7Cabte%3DCONTROL%7C%7Chsw%3D%25%25HAS_SECOND_WINNER%25%25~ibc%3D1~ddt%3D-1~nsz%3D1~tgs%3D300x250~bsb%3D0~bsp%3D0~tmx%3D200&matchString=hr%3D0&l2ch=1&l2wsip=2887305233&sethcsd=set!A18%7C8013&vgd_pgid=p11306311666t202112030843&vgd_pgids=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lg3.media.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /48/nrrV52461.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: contextual.media.netConnection: Keep-AliveCookie: hbcm_sd=4%7C1638520979780

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.6.95:443 -> 192.168.2.6:49803 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F205FB0 GetOpenClipboardWindow,CreateMenu,GetCursor,GetOpenClipboardWindow,GetCurrentProcess,GetCurrentThreadId,CreateMenu,GetOpenClipboardWindow,GetCurrentThreadId,

2_2_6F205FB0

System Summary:

Uses 32bit PE files

Source: mATFWhYtPk.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Uexmfpkplvbbrf\jerrpf.tlt:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Uexmfpkplvbbrf\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6562B		0_2_00A6562B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7E05C		0_2_00A7E05C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A73AA0		0_2_00A73AA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6B0AC		0_2_00A6B0AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A70AA8		0_2_00A70AA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A71ABD		0_2_00A71ABD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A740BB		0_2_00A740BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A722BB		0_2_00A722BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7B2B8		0_2_00A7B2B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A69082		0_2_00A69082
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7988A		0_2_00A7988A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7D88A		0_2_00A7D88A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A75C8A		0_2_00A75C8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A676EE		0_2_00A676EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7AAF3		0_2_00A7AAF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A668F2		0_2_00A668F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A756F8		0_2_00A756F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6D2C4		0_2_00A6D2C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A61EC4		0_2_00A61EC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6E6CA		0_2_00A6E6CA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6B8CA		0_2_00A6B8CA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A75ECA		0_2_00A75ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A770D1		0_2_00A770D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7C6D9		0_2_00A7C6D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6C227		0_2_00A6C227
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6A02A		0_2_00A6A02A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A73C28		0_2_00A73C28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7CE32		0_2_00A7CE32
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6A833		0_2_00A6A833
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7EC30		0_2_00A7EC30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7AC3D		0_2_00A7AC3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7C400		0_2_00A7C400
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A79209		0_2_00A79209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A71E11		0_2_00A71E11
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6601A		0_2_00A6601A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A70660		0_2_00A70660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A81E60		0_2_00A81E60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A76A6B		0_2_00A76A6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A64871		0_2_00A64871
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A80E72		0_2_00A80E72
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7C879		0_2_00A7C879
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6F443		0_2_00A6F443
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A74E55		0_2_00A74E55
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7D454		0_2_00A7D454
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A78851		0_2_00A78851
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A76DA4		0_2_00A76DA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6EBA2		0_2_00A6EBA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7CFA1		0_2_00A7CFA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7F1AF		0_2_00A7F1AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6B7B7		0_2_00A6B7B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A633B5		0_2_00A633B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7E9BB		0_2_00A7E9BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7B587		0_2_00A7B587
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A67582		0_2_00A67582
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A65D88		0_2_00A65D88
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7A797		0_2_00A7A797
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6ED92		0_2_00A6ED92
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A67990		0_2_00A67990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A75198		0_2_00A75198
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6DBE7		0_2_00A6DBE7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A631E4		0_2_00A631E4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6FDE3		0_2_00A6FDE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6F1F6		0_2_00A6F1F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A775F1		0_2_00A775F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6E3C6		0_2_00A6E3C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A735DB		0_2_00A735DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A74BDA		0_2_00A74BDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A78103		0_2_00A78103
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A77900		0_2_00A77900
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6610E		0_2_00A6610E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A61914		0_2_00A61914
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7E31F		0_2_00A7E31F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A72963		0_2_00A72963
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A67361		0_2_00A67361
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A64D6B		0_2_00A64D6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6AD68		0_2_00A6AD68
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6A17E		0_2_00A6A17E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A78D7C		0_2_00A78D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A62D46		0_2_00A62D46
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7114E		0_2_00A7114E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7AF4E		0_2_00A7AF4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A77D4C		0_2_00A77D4C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A72B4A		0_2_00A72B4A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A62756		0_2_00A62756
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6B354		0_2_00A6B354
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7E554		0_2_00A7E554
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A7DD54		0_2_00A7DD54
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A73158		0_2_00A73158
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F206530		2_2_6F206530
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F205900		2_2_6F205900
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F20E660		2_2_6F20E660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F212C20		2_2_6F212C20
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F221C80		2_2_6F221C80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F202C90		2_2_6F202C90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F21FC91		2_2_6F21FC91
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F234CE0		2_2_6F234CE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F209320		2_2_6F209320
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F234BB3		2_2_6F234BB3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F22AA20		2_2_6F22AA20
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F21C25A		2_2_6F21C25A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F2312EC		2_2_6F2312EC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F21C032		2_2_6F21C032
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDE05C		3_2_02FDE05C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC562B		3_2_02FC562B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD56F8		3_2_02FD56F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDAAF3		3_2_02FDAAF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC68F2		3_2_02FC68F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC76EE		3_2_02FC76EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDC6D9		3_2_02FDC6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD70D1		3_2_02FD70D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCE6CA		3_2_02FCE6CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCB8CA		3_2_02FCB8CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD5ECA		3_2_02FD5ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCD2C4		3_2_02FCD2C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC1EC4		3_2_02FC1EC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD1ABD		3_2_02FD1ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDB2B8		3_2_02FDB2B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD40BB		3_2_02FD40BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD22BB		3_2_02FD22BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCB0AC		3_2_02FCB0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD0AA8		3_2_02FD0AA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD3AA0		3_2_02FD3AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD988A		3_2_02FD988A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDD88A		3_2_02FDD88A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD5C8A		3_2_02FD5C8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC9082		3_2_02FC9082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDC879		3_2_02FDC879
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FE0E72		3_2_02FE0E72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC4871		3_2_02FC4871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD6A6B		3_2_02FD6A6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD0660		3_2_02FD0660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FE1E60		3_2_02FE1E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD4E55		3_2_02FD4E55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDD454		3_2_02FDD454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD8851		3_2_02FD8851
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCF443		3_2_02FCF443
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDAC3D		3_2_02FDAC3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDEC30		3_2_02FDEC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDCE32		3_2_02FDCE32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCA833		3_2_02FCA833
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD3C28		3_2_02FD3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCA02A		3_2_02FCA02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCC227		3_2_02FCC227
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC601A		3_2_02FC601A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD1E11		3_2_02FD1E11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD9209		3_2_02FD9209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDC400		3_2_02FDC400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCF1F6		3_2_02FCF1F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD75F1		3_2_02FD75F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC31E4		3_2_02FC31E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCDBE7		3_2_02FCDBE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCFDE3		3_2_02FCFDE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD35DB		3_2_02FD35DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD4BDA		3_2_02FD4BDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCE3C6		3_2_02FCE3C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDE9BB		3_2_02FDE9BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC33B5		3_2_02FC33B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCB7B7		3_2_02FCB7B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDF1AF		3_2_02FDF1AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD6DA4		3_2_02FD6DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDCFA1		3_2_02FDCFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCEBA2		3_2_02FCEBA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD5198		3_2_02FD5198
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDA797		3_2_02FDA797
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC7990		3_2_02FC7990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCED92		3_2_02FCED92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC5D88		3_2_02FC5D88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDB587		3_2_02FDB587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC7582		3_2_02FC7582
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD8D7C		3_2_02FD8D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCA17E		3_2_02FCA17E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCAD68		3_2_02FCAD68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC4D6B		3_2_02FC4D6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC7361		3_2_02FC7361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD2963		3_2_02FD2963
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD3158		3_2_02FD3158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCB354		3_2_02FCB354
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDE554		3_2_02FDE554
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDDD54		3_2_02FDDD54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC2756		3_2_02FC2756
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD7D4C		3_2_02FD7D4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD114E		3_2_02FD114E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDAF4E		3_2_02FDAF4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD2B4A		3_2_02FD2B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC2D46		3_2_02FC2D46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FDE31F		3_2_02FDE31F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC1914		3_2_02FC1914
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FC610E		3_2_02FC610E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD7900		3_2_02FD7900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FD8103		3_2_02FD8103
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F206530		3_2_6F206530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F205900		3_2_6F205900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F20E660		3_2_6F20E660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F212C20		3_2_6F212C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F221C80		3_2_6F221C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F202C90		3_2_6F202C90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F21FC91		3_2_6F21FC91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F234CE0		3_2_6F234CE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F209320		3_2_6F209320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F22FB69		3_2_6F22FB69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F234BB3		3_2_6F234BB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F22AA20		3_2_6F22AA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F21C25A		3_2_6F21C25A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F2312EC		3_2_6F2312EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F21C032		3_2_6F21C032
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03017900		5_2_03017900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03002D46		5_2_03002D46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301114E		5_2_0301114E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03013158		5_2_03013158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300A17E		5_2_0300A17E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03005D88		5_2_03005D88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301F1AF		5_2_0301F1AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300601A		5_2_0300601A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300A02A		5_2_0300A02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300562B		5_2_0300562B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301E05C		5_2_0301E05C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03016A6B		5_2_03016A6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301C879		5_2_0301C879
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301D88A		5_2_0301D88A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030122BB		5_2_030122BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301C6D9		5_2_0301C6D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03018103		5_2_03018103
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300610E		5_2_0300610E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03001914		5_2_03001914
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301E31F		5_2_0301E31F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03012B4A		5_2_03012B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03017D4C		5_2_03017D4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301AF4E		5_2_0301AF4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300B354		5_2_0300B354
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301E554		5_2_0301E554
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301DD54		5_2_0301DD54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03002756		5_2_03002756
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03007361		5_2_03007361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03012963		5_2_03012963
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300AD68		5_2_0300AD68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03004D6B		5_2_03004D6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03018D7C		5_2_03018D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03007582		5_2_03007582
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301B587		5_2_0301B587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03007990		5_2_03007990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300ED92		5_2_0300ED92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301A797		5_2_0301A797
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03015198		5_2_03015198
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301CFA1		5_2_0301CFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300EBA2		5_2_0300EBA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03016DA4		5_2_03016DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030033B5		5_2_030033B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300B7B7		5_2_0300B7B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301E9BB		5_2_0301E9BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300E3C6		5_2_0300E3C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030135DB		5_2_030135DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03014BDA		5_2_03014BDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300FDE3		5_2_0300FDE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030031E4		5_2_030031E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300DBE7		5_2_0300DBE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030175F1		5_2_030175F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300F1F6		5_2_0300F1F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301C400		5_2_0301C400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03019209		5_2_03019209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03011E11		5_2_03011E11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300C227		5_2_0300C227
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03013C28		5_2_03013C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301EC30		5_2_0301EC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301CE32		5_2_0301CE32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300A833		5_2_0300A833
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301AC3D		5_2_0301AC3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300F443		5_2_0300F443
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03018851		5_2_03018851
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03014E55		5_2_03014E55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301D454		5_2_0301D454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03010660		5_2_03010660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03021E60		5_2_03021E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03020E72		5_2_03020E72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03004871		5_2_03004871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03009082		5_2_03009082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301988A		5_2_0301988A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03015C8A		5_2_03015C8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03013AA0		5_2_03013AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03010AA8		5_2_03010AA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300B0AC		5_2_0300B0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301B2B8		5_2_0301B2B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030140BB		5_2_030140BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03011ABD		5_2_03011ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300D2C4		5_2_0300D2C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03001EC4		5_2_03001EC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300E6CA		5_2_0300E6CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300B8CA		5_2_0300B8CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03015ECA		5_2_03015ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030170D1		5_2_030170D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030076EE		5_2_030076EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0301AAF3		5_2_0301AAF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030068F2		5_2_030068F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030156F8		5_2_030156F8

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6F214EB0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6F214EB0 appears 46 times

Sample file is different than original file name gathered from version info

Source: mATFWhYtPk.dll

Binary or memory string: OriginalFilenameZqutyyvlsw.dll6 vs mATFWhYtPk.dll

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Sample is known by Antivirus

Source: mATFWhYtPk.dll

Virustotal: Detection: 25%

PE file has an executable .text section and no other executable section

Source: mATFWhYtPk.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\mATFWhYtPk.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mATFWhYtPk.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5868 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mATFWhYtPk.dll,asbiqstaeqzsycc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mATFWhYtPk.dll,atwuhkycfybkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uexmfpkplvbbrf\jerrpf.tlt",SfMITlqpKAP
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\mATFWhYtPk.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mATFWhYtPk.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mATFWhYtPk.dll,asbiqstaeqzsycc			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mATFWhYtPk.dll,atwuhkycfybkj			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5868 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uexmfpkplvbbrf\jerrpf.tlt",SfMITlqpKAP			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",DllRegisterServer			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0A62C4E-5414-11EC-90E5-ECF4BB2D2496}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4AB291A385B95D5D.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal56.evad.winDLL@30/114@6/2

Contains functionality to instantiate COM classes

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F20AEB0 CoCreateInstance,OleRun,

2_2_6F20AEB0

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",#1

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F20DC50 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

2_2_6F20DC50

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: mATFWhYtPk.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a valid data directory to section mapping

Source: mATFWhYtPk.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mATFWhYtPk.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mATFWhYtPk.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mATFWhYtPk.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mATFWhYtPk.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F214F00 push ecx; ret		2_2_6F214F13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F236451 push ecx; ret		2_2_6F236464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F214F00 push ecx; ret		3_2_6F214F13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F236451 push ecx; ret		3_2_6F236464

PE file contains an invalid checksum

Source: mATFWhYtPk.dll

Static PE information: real checksum: 0x72da1 should be: 0x76fac

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\mATFWhYtPk.dll

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Uexmfpkplvbbrf\jerrpf.tlt

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Uexmfpkplvbbrf\jerrpf.tlt:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006F206570 second address: 000000006F2065AB instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000F8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007F7710B8F397h 0x0000000e mov dword ptr [esp+14h], 0B8FEA98h 0x00000016 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006F207835 second address: 000000006F207863 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F7710CF3C41h 0x0000000a mov ebx, 05F1FEE1h 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\regsvr32.exe	RDTSC instruction interceptor: First address: 000000006F206570 second address: 000000006F2065AB instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000F8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007F7710B8F397h 0x0000000e mov dword ptr [esp+14h], 0B8FEA98h 0x00000016 rdtscp
Source: C:\Windows\SysWOW64\regsvr32.exe	RDTSC instruction interceptor: First address: 000000006F207835 second address: 000000006F207863 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F7710CF3C41h 0x0000000a mov ebx, 05F1FEE1h 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006F206570 second address: 000000006F2065AB instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000F8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007F7710B8F397h 0x0000000e mov dword ptr [esp+14h], 0B8FEA98h 0x00000016 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006F207835 second address: 000000006F207863 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F7710CF3C41h 0x0000000a mov ebx, 05F1FEE1h 0x0000000f rdtscp

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6928

Thread sleep time: -30000s >= -30000s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F206530 rdtscp

2_2_6F206530

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F22B531 FindFirstFileExA,		2_2_6F22B531
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F22B531 FindFirstFileExA,		3_2_6F22B531

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 0000000C.00000002.911297448.0000020000062000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.896576932.000001FFFEA29000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.911279592.000002000004A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F214D87 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6F214D87

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F21736C GetProcessHeap,HeapFree,

2_2_6F21736C

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F206530 rdtscp

2_2_6F206530

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6DB4C mov eax, dword ptr fs:[00000030h]		0_2_00A6DB4C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F206530 mov eax, dword ptr fs:[00000030h]		2_2_6F206530
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F206530 mov eax, dword ptr fs:[00000030h]		2_2_6F206530
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F224E12 mov eax, dword ptr fs:[00000030h]		2_2_6F224E12
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F22B306 mov eax, dword ptr fs:[00000030h]		2_2_6F22B306
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F217254 mov esi, dword ptr fs:[00000030h]		2_2_6F217254
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F2079C0 mov eax, dword ptr fs:[00000030h]		2_2_6F2079C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02FCDB4C mov eax, dword ptr fs:[00000030h]		3_2_02FCDB4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F206530 mov eax, dword ptr fs:[00000030h]		3_2_6F206530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F206530 mov eax, dword ptr fs:[00000030h]		3_2_6F206530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F224E12 mov eax, dword ptr fs:[00000030h]		3_2_6F224E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F22B306 mov eax, dword ptr fs:[00000030h]		3_2_6F22B306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F217254 mov esi, dword ptr fs:[00000030h]		3_2_6F217254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F2079C0 mov eax, dword ptr fs:[00000030h]		3_2_6F2079C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0300DB4C mov eax, dword ptr fs:[00000030h]		5_2_0300DB4C

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F21453A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_6F21453A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F214D87 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6F214D87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6F21D314 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6F21D314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F21453A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6F21453A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F214D87 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6F214D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F21D314 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6F21D314

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mATFWhYtPk.dll",#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 00000010.00000002.894573044.0000000003750000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.887564266.0000000002A30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000010.00000002.894573044.0000000003750000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.887564266.0000000002A30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000010.00000002.894573044.0000000003750000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.887564266.0000000002A30000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000010.00000002.894573044.0000000003750000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.887564266.0000000002A30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,		2_2_6F233FE7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,		2_2_6F22C608
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		2_2_6F233D09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		2_2_6F233D97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		2_2_6F233C23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		2_2_6F233C6E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,		2_2_6F233B7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,		2_2_6F234218
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		2_2_6F2342EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		2_2_6F234110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		2_2_6F2339A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		2_2_6F22C0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F233FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F22C608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F233D09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		3_2_6F233D97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F233C23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F233C6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F233B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6F234218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6F2342EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6F234110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6F2339A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6F22C0BA

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F214BA6 cpuid

2_2_6F214BA6

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6F214F17 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6F214F17