Windows Analysis Report AP8cSQS6y5

Overview

General Information

Sample Name: AP8cSQS6y5 (renamed file extension from none to dll)
Analysis ID: 533073
MD5: d706a7c97207b34d7e672273064a280d
SHA1: 9055721bc7129d62c2d9d3656592e2a3c190b052
SHA256: fd45e46e06310bf7df9e0a2690b545c19c6a6cf7504c3ffc6f701f28c7ce8b2d
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: AP8cSQS6y5.dll Virustotal: Detection: 10% Perma Link
Source: AP8cSQS6y5.dll ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: AP8cSQS6y5.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: AP8cSQS6y5.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.767682142.0000000003124000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767435815.0000000003140000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767490553.0000000003124000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.767800828.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767504288.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767750121.000000000312A000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.767800828.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767504288.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767750121.000000000312A000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.767768692.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767476105.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767669415.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.767682142.0000000003124000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767490553.0000000003124000.00000004.00000001.sdmp
Source: Binary string: lCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.784160177.0000000000B82000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.767768692.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767476105.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767669415.000000000311E000.00000004.00000001.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.104.227.98 187
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /fgbZesNtBBFxhZmjmvBTQpdefdXEMKYUmN HTTP/1.1Cookie: mXPcsg=vAVdEWxxBWHcywqs0NhGDilqxIPmSwD0hHJ2TiTe1n7/QKTylBMhzXc8TCMjm2DI5MWFuk2Gg/Z4l/OcLUTAh0gaSjYGIxjesg4+cYDLW5lBLefhLfDu8/IUb3Y+GAwmOsoUkT6b3clgOHVKPFp7CFWxGpuQk7vpgoe9ZWryS1k6syfWj68Hs1XXEM7xe3/3WGEx8WjXEb90Qp1yb52Yo12mde5Jw+Xj4QBPlMlJDNRQtSjOs9cuajoxman0F/Ezsy4r9nLrG1yV2qQ8sjNGIP/6HfnxTMikkIpfF8biffRnoFafMxp57EreaodBezYPKaUcg+9bQthGr+UN0IlbezO4HOmrgbgSN3rPXLpEasSdgrNDJRbx9w==Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.69.19 172.67.69.19
Source: Joe Sandbox View IP Address: 87.248.118.23 87.248.118.23
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: de-ch[1].htm.6.dr String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.6.dr String found in binary or memory: <a href="https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV" > equals www.linkedin.com (Linkedin)
Source: msapplication.xml2.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x36f5356b,0x01d7e7d7</date><accdate>0x3711d2b4,0x01d7e7d7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x38ae4a78,0x01d7e7d7</date><accdate>0x38cd4627,0x01d7e7d7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x39b19024,0x01d7e7d7</date><accdate>0x39c966de,0x01d7e7d7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: svchost.exe, 00000018.00000002.866635288.000002540EB00000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000018.00000002.866248813.000002540E2E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000018.00000003.841183646.000002540EB62000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.839015411.000002540EBBB000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: de-ch[1].htm.6.dr String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[2].htm.6.dr String found in binary or memory: http://popup.taboola.com/german
Source: {524F927A-53CA-11EC-90EB-ECF4BBEA1588}.dat.4.dr, ~DF71FFEE72F82137A3.TMP.4.dr String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Amcache.hve.20.dr String found in binary or memory: http://upx.sf.net
Source: msapplication.xml1.4.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml3.4.dr String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml4.4.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml5.4.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml6.4.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml7.4.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml.4.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml0.4.dr String found in binary or memory: http://www.youtube.com/
Source: rundll32.exe, 00000015.00000003.824961602.00000000033CD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1192231858.00000000033CD000.00000004.00000001.sdmp String found in binary or memory: https://172.104.227.98/
Source: rundll32.exe, 00000015.00000003.824961602.00000000033CD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1192231858.00000000033CD000.00000004.00000001.sdmp String found in binary or memory: https://172.104.227.98/2Y
Source: rundll32.exe, 00000015.00000003.824961602.00000000033CD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1192231858.00000000033CD000.00000004.00000001.sdmp String found in binary or memory: https://172.104.227.98/fgbZesNtBBFxhZmjmvBTQpdefdXEMKYUmNi
Source: de-ch[1].htm.6.dr String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[2].htm.6.dr String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
Source: de-ch[1].htm.6.dr String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: auction[2].htm.6.dr String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=8suj1R4GIS8V8Y.60t5FkKq3CgX2JmaylXU1I2RSe_G6ul_K
Source: de-ch[1].htm.6.dr String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[2].htm.6.dr String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=273363&amp;a=3064090&amp;g=24940322
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
Source: ~DF71FFEE72F82137A3.TMP.4.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
Source: {524F927A-53CA-11EC-90EB-ECF4BBEA1588}.dat.4.dr, ~DF71FFEE72F82137A3.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {524F927A-53CA-11EC-90EB-ECF4BBEA1588}.dat.4.dr, ~DF71FFEE72F82137A3.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: svchost.exe, 00000018.00000003.841183646.000002540EB62000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.839015411.000002540EBBB000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000018.00000003.843936539.000002540EB5A000.00000004.00000001.sdmp String found in binary or memory: https://displaycatalog.mp.microsSYSTEM
Source: iab2Data[1].json.6.dr String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[1].json.6.dr String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: iab2Data[1].json.6.dr String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[2].htm.6.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[2].htm.6.dr String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=KWPrOhAGIS_oawOfJh1au_2LMxPR4CIZAVQuNReszlUZ
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1638488900&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/logout.srf?ct=1638488901&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1638488900&amp;rver=7.0.6730.0&amp;w
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package
Source: iab2Data[1].json.6.dr String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[1].json.6.dr String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
Source: auction[2].htm.6.dr String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: {524F927A-53CA-11EC-90EB-ECF4BBEA1588}.dat.4.dr, ~DF71FFEE72F82137A3.TMP.4.dr String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[2].htm.6.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/0XpuUmHG5cpKtbzOUv9Rmg--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
Source: de-ch[1].htm.6.dr String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&amp;t=1
Source: iab2Data[1].json.6.dr String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[1].json.6.dr String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: auction[2].htm.6.dr String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=47653540c85b4d47976453230805f9a4&amp;r=infopane&amp;i=3&
Source: imagestore.dat.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AARlHk9.img?h=368&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: svchost.exe, 00000018.00000003.841183646.000002540EB62000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.839015411.000002540EBBB000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000018.00000003.841183646.000002540EB62000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.839015411.000002540EBBB000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
Source: imagestore.dat.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: imagestore.dat.6.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.6.dr String found in binary or memory: https://www.google.com/favicon.ico~
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF71FFEE72F82137A3.TMP.4.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-2025-gibt-es-einarmige-banditen-und-roulette-in-der-lokstadt
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/altkleider-nur-noch-in-stadtz%c3%bcrcher-sammelstellen/ar-AARos
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-best%c3%a4tigt-ersten-omikron-fall-in-z%c3%bcrich/ar-AAR
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-verteidigt-finanzielle-beteiligung-am-kunstprojekt/ar-AA
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: svchost.exe, 00000018.00000003.841928751.000002540EB8D000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.841972477.000002540F002000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.841892213.000002540EBA4000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&amp;utm_
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.tippsundtricks.co/lifehacks/kochendes-wasser-auto/?utm_campaign=DECH-cardent&amp;utm_sou
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&amp;utm_sourc
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: global traffic HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.1468967235918318 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F967a29a37c896af671157d56f753b141.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6f2fb5b5492b8c599874fa6316451f85.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe422867e373581902d24ef95be7d4e1b.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /lo/api/res/1.2/0XpuUmHG5cpKtbzOUv9Rmg--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWluaTtxPTEwMA--/https://s.yimg.com/av/ads/1632725880101-6365.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fgbZesNtBBFxhZmjmvBTQpdefdXEMKYUmN HTTP/1.1Cookie: mXPcsg=vAVdEWxxBWHcywqs0NhGDilqxIPmSwD0hHJ2TiTe1n7/QKTylBMhzXc8TCMjm2DI5MWFuk2Gg/Z4l/OcLUTAh0gaSjYGIxjesg4+cYDLW5lBLefhLfDu8/IUb3Y+GAwmOsoUkT6b3clgOHVKPFp7CFWxGpuQk7vpgoe9ZWryS1k6syfWj68Hs1XXEM7xe3/3WGEx8WjXEb90Qp1yb52Yo12mde5Jw+Xj4QBPlMlJDNRQtSjOs9cuajoxman0F/Ezsy4r9nLrG1yV2qQ8sjNGIP/6HfnxTMikkIpfF8biffRnoFafMxp57EreaodBezYPKaUcg+9bQthGr+UN0IlbezO4HOmrgbgSN3rPXLpEasSdgrNDJRbx9w==Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.4:49884 version: TLS 1.2

System Summary:

barindex
Uses 32bit PE files
Source: AP8cSQS6y5.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6332 -ip 6332
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Taxeqfqnru\uldycndn.fbw:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Taxeqfqnru\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001CFAA 0_2_1001CFAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002800 0_2_10002800
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000BC07 0_2_1000BC07
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001000D 0_2_1001000D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10020C0C 0_2_10020C0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004A13 0_2_10004A13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10016015 0_2_10016015
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000FE15 0_2_1000FE15
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000F217 0_2_1000F217
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002617 0_2_10002617
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001BE1F 0_2_1001BE1F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000DC24 0_2_1000DC24
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10010C2F 0_2_10010C2F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10021033 0_2_10021033
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007E3E 0_2_10007E3E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10008650 0_2_10008650
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10005651 0_2_10005651
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001EC5A 0_2_1001EC5A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10017679 0_2_10017679
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002C79 0_2_10002C79
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001B278 0_2_1001B278
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000C87E 0_2_1000C87E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001C47E 0_2_1001C47E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013682 0_2_10013682
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001A288 0_2_1001A288
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000C29B 0_2_1000C29B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001F0A7 0_2_1001F0A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10022EA4 0_2_10022EA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000A4AA 0_2_1000A4AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001D8AD 0_2_1001D8AD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100202B3 0_2_100202B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10019EB5 0_2_10019EB5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10016ACA 0_2_10016ACA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100044D2 0_2_100044D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10010ED9 0_2_10010ED9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100108D9 0_2_100108D9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001B6DB 0_2_1001B6DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000CADE 0_2_1000CADE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001EE2 0_2_10001EE2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001E2E4 0_2_1001E2E4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100060E8 0_2_100060E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000D4EE 0_2_1000D4EE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000D8F0 0_2_1000D8F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000A6F7 0_2_1000A6F7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100088FC 0_2_100088FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10011EFC 0_2_10011EFC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10020701 0_2_10020701
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001F90C 0_2_1001F90C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001EB0F 0_2_1001EB0F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001A712 0_2_1001A712
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002317 0_2_10002317
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001FB22 0_2_1001FB22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10014F2A 0_2_10014F2A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007931 0_2_10007931
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013B36 0_2_10013B36
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001713E 0_2_1001713E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000CD42 0_2_1000CD42
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007549 0_2_10007549
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001514C 0_2_1001514C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000C551 0_2_1000C551
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001C962 0_2_1001C962
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000BD63 0_2_1000BD63
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000416C 0_2_1000416C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002196C 0_2_1002196C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000E16F 0_2_1000E16F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001B70 0_2_10001B70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10008B74 0_2_10008B74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10012378 0_2_10012378
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001177E 0_2_1001177E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10020588 0_2_10020588
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001058C 0_2_1001058C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10021FA6 0_2_10021FA6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100093A7 0_2_100093A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10009DA8 0_2_10009DA8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000A1AA 0_2_1000A1AA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100231BA 0_2_100231BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100065BD 0_2_100065BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100227CB 0_2_100227CB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100165CD 0_2_100165CD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10008FCE 0_2_10008FCE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000B9D5 0_2_1000B9D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000ADD9 0_2_1000ADD9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100057E6 0_2_100057E6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100179EC 0_2_100179EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013FF3 0_2_10013FF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000FBF7 0_2_1000FBF7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10017FFB 0_2_10017FFB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000D1FD 0_2_1000D1FD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E56EE70 2_2_6E56EE70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E593ED7 2_2_6E593ED7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E593FF7 2_2_6E593FF7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E582F91 2_2_6E582F91
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E572D30 2_2_6E572D30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57CDCD 2_2_6E57CDCD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E519AD0 2_2_6E519AD0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57CB9B 2_2_6E57CB9B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E572800 2_2_6E572800
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57C969 2_2_6E57C969
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E58F599 2_2_6E58F599
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E572580 2_2_6E572580
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E582040 2_2_6E582040
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57D02A 2_2_6E57D02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E56EE70 3_2_6E56EE70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E593ED7 3_2_6E593ED7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E593FF7 3_2_6E593FF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E582F91 3_2_6E582F91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E572D30 3_2_6E572D30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57CDCD 3_2_6E57CDCD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E519AD0 3_2_6E519AD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57CB9B 3_2_6E57CB9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E572800 3_2_6E572800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57C969 3_2_6E57C969
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E58F599 3_2_6E58F599
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E572580 3_2_6E572580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E582040 3_2_6E582040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57D02A 3_2_6E57D02A
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6E50FEF0 appears 322 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6E57EEBE appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6E5774F0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E50FEF0 appears 322 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E57EEBE appears 69 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E5774F0 appears 38 times
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: AP8cSQS6y5.dll Virustotal: Detection: 10%
Source: AP8cSQS6y5.dll ReversingLabs: Detection: 17%
Source: AP8cSQS6y5.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AP8cSQS6y5.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AP8cSQS6y5.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6412 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AP8cSQS6y5.dll,_opj_codec_set_threads@8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AP8cSQS6y5.dll,_opj_create_compress@4
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Taxeqfqnru\uldycndn.fbw",ompKOnwZ
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6332 -ip 6332
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 288
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Taxeqfqnru\uldycndn.fbw",DllRegisterServer
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AP8cSQS6y5.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AP8cSQS6y5.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AP8cSQS6y5.dll,_opj_codec_set_threads@8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AP8cSQS6y5.dll,_opj_create_compress@4 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6412 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Taxeqfqnru\uldycndn.fbw",ompKOnwZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Taxeqfqnru\uldycndn.fbw",DllRegisterServer
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6332 -ip 6332
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 288
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{524F9278-53CA-11EC-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF35A0F37D59D4ED88.TMP Jump to behavior
Source: classification engine Classification label: mal60.evad.winDLL@40/130@13/7
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6036:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6332
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: AP8cSQS6y5.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: AP8cSQS6y5.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.767682142.0000000003124000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767435815.0000000003140000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767490553.0000000003124000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.767800828.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767504288.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767750121.000000000312A000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.767800828.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767504288.000000000312A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767750121.000000000312A000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.767768692.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767476105.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767669415.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.767682142.0000000003124000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767490553.0000000003124000.00000004.00000001.sdmp
Source: Binary string: lCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.784160177.0000000000B82000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.771158741.0000000004E41000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.767768692.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767476105.000000000311E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.767669415.000000000311E000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000176C push ebp; iretd 0_2_1000176D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E576FA1 push ecx; ret 2_2_6E576F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E576FA1 push ecx; ret 3_2_6E576F9F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E50DA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task, 2_2_6E50DA40
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AP8cSQS6y5.dll

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Taxeqfqnru\uldycndn.fbw Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Taxeqfqnru\uldycndn.fbw:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 3512 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.20.dr Binary or memory string: VMware
Source: Amcache.hve.20.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.20.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.20.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.20.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.20.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr Binary or memory string: VMware7,1
Source: Amcache.hve.20.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000018.00000002.866056110.000002540E2A5000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.866224134.000002540E2E0000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.866248813.000002540E2E8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.20.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.20.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E57AABA
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E50DA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task, 2_2_6E50DA40
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10011E59 mov eax, dword ptr fs:[00000030h] 0_2_10011E59
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57A991 mov eax, dword ptr fs:[00000030h] 2_2_6E57A991
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E5840D3 mov eax, dword ptr fs:[00000030h] 2_2_6E5840D3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E58408F mov eax, dword ptr fs:[00000030h] 2_2_6E58408F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E584104 mov eax, dword ptr fs:[00000030h] 2_2_6E584104
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57A991 mov eax, dword ptr fs:[00000030h] 3_2_6E57A991
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5840D3 mov eax, dword ptr fs:[00000030h] 3_2_6E5840D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E58408F mov eax, dword ptr fs:[00000030h] 3_2_6E58408F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E584104 mov eax, dword ptr fs:[00000030h] 3_2_6E584104
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10010E34 LdrInitializeThunk, 0_2_10010E34
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E57AABA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E57624F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E577375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E577375
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E57AABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E57624F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E577375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E577375

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.104.227.98 187
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AP8cSQS6y5.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6332 -ip 6332
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 288
Source: rundll32.exe, 00000015.00000002.1192366069.00000000037B0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000015.00000002.1192366069.00000000037B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.1192366069.00000000037B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000015.00000002.1192366069.00000000037B0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E591EAD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW, 2_2_6E584DE4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_6E58480E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E59280E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E592639
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_6E592235
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_6E59214F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesW, 2_2_6E59219A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E591EAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E584DE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E58480E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E59280E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E592639
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E592235
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E59214F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E59219A
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E5770CB cpuid 2_2_6E5770CB
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E57729C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6E57729C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.20.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533073 Sample: AP8cSQS6y5 Startdate: 03/12/2021 Architecture: WINDOWS Score: 60 56 Multi AV Scanner detection for submitted file 2->56 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        12 svchost.exe 2->12         started        14 4 other processes 2->14 process3 process4 16 rundll32.exe 2 8->16         started        19 iexplore.exe 1 76 8->19         started        21 cmd.exe 1 8->21         started        25 4 other processes 8->25 23 WerFault.exe 10->23         started        signatures5 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->54 27 rundll32.exe 16->27         started        29 iexplore.exe 2 152 19->29         started        32 rundll32.exe 21->32         started        34 rundll32.exe 25->34         started        36 rundll32.exe 25->36         started        38 rundll32.exe 25->38         started        process6 dnsIp7 40 rundll32.exe 27->40         started        48 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49849, 49850 YAHOO-DEBDE United Kingdom 29->48 50 dart.l.doubleclick.net 142.250.203.102, 443, 49830, 49831 GOOGLEUS United States 29->50 52 15 other IPs or domains 29->52 44 rundll32.exe 32->44         started        process8 dnsIp9 46 172.104.227.98, 443, 49884 LINODE-APLinodeLLCUS United States 40->46 58 System process connects to network (likely due to code injection or exploit) 40->58 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.104.227.98
 unknown United States
63949 LINODE-APLinodeLLCUS true
142.250.203.102
 dart.l.doubleclick.net United States
15169 GOOGLEUS false
172.67.69.19
 ad-delivery.net United States
13335 CLOUDFLARENETUS false
87.248.118.23
 edge.gycpi.b.yahoodns.net United Kingdom
203220 YAHOO-DEBDE false
151.101.1.44
 tls13.taboola.map.fastly.net United States
54113 FASTLYUS false
104.26.7.139
 btloader.com United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
contextual.media.net 23.211.6.95 true
dart.l.doubleclick.net 142.250.203.102 true
tls13.taboola.map.fastly.net 151.101.1.44 true
hblg.media.net 23.211.6.95 true
lg3.media.net 23.211.6.95 true
btloader.com 104.26.7.139 true
edge.gycpi.b.yahoodns.net 87.248.118.23 true
ad-delivery.net 172.67.69.19 true
assets.msn.com unknown unknown
www.msn.com unknown unknown
ad.doubleclick.net unknown unknown
srtb.msn.com unknown unknown
img.img-taboola.com unknown unknown
s.yimg.com unknown unknown
cvision.media.net unknown unknown
browser.events.data.msn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6f2fb5b5492b8c599874fa6316451f85.jpg false
  • Avira URL Cloud: safe
 unknown
https://btloader.com/tag?o=6208086025961472&upapi=true false
  • URL Reputation: safe
 unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 false
    		high
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F967a29a37c896af671157d56f753b141.jpg false
    • Avira URL Cloud: safe
    		 unknown
    https://ad-delivery.net/px.gif?ch=1&e=0.1468967235918318 false
    • Avira URL Cloud: safe
    		 unknown
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe422867e373581902d24ef95be7d4e1b.jpg false
    • Avira URL Cloud: safe
    		 unknown