Windows Analysis Report cbDMa7lgYy

Compliance:

Uses 32bit PE files

Source: cbDMa7lgYy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.3:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.3:49864 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: cbDMa7lgYy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: aXljr[lCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.427968095.00000000000E2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /SVvSOBnCfHgsVssFNnj HTTP/1.1Cookie: MjsBkpgasSueby=Uoymy6lCLvL7UL1qtXUxfAH6Y4F87/M1pXzt4wFcQdUHqa7mNpcA6rB8BrroyLl53fWSaoNGm64bOCCWe3wD080muLOwCKicDach6TSpi5lwo37DAUoZS1tenl6j2FJWxwDieWtIYwHvfaNLrOwweq88d2ccy6oXSibHyr1WVgM5Vh/DnaT4ZDUAcnuScjhcZIdSQwttTz8NcPB6UeZjIR0AP/VOw3LRONXFN8/feqXngKomoPCtGrlIOrYzsvgB6A==Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.3.70 104.26.3.70
Source: Joe Sandbox View	IP Address: 104.26.6.139 104.26.6.139

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98

Found strings which match to known social media urls

Source: de-ch[1].htm.8.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.553552867.00000240D0B8C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.553552867.00000240D0B8C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.553602525.00000240D0B9D000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.553552867.00000240D0B8C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000021.00000003.553602525.00000240D0B9D000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.553552867.00000240D0B8C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: de-ch[1].htm.8.dr	String found in binary or memory: <a href="https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV" > equals www.linkedin.com (Linkedin)
Source: msapplication.xml0.6.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x64f2d08a,0x01d7e823</date><accdate>0x653f1c5c,0x01d7e823</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.6.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x66692146,0x01d7e823</date><accdate>0x6680f7bb,0x01d7e823</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.6.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x66e2b870,0x01d7e823</date><accdate>0x66fa8f84,0x01d7e823</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.8.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.8.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: svchost.exe, 0000001E.00000002.829947101.0000017984263000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.577471180.00000240D0B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001E.00000002.829522746.000001798420D000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.577190778.00000240D02EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000021.00000003.547703122.00000240D0B7E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.547763888.00000240D0B9A000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: {800E2D64-5416-11EC-90E9-ECF4BB862DED}.dat.6.dr, ~DFB6CB56471D5D6D2D.TMP.6.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: msapplication.xml.6.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.6.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.6.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.6.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.6.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.6.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.6.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.6.dr	String found in binary or memory: http://www.youtube.com/
Source: rundll32.exe, 00000017.00000002.831858473.0000000004565000.00000004.00000001.sdmp	String found in binary or memory: https://172.104.227.98/SVvSOBnCfHgsVssFNnjg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=273363&a=3064090&g=24940322
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DFB6CB56471D5D6D2D.TMP.6.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {800E2D64-5416-11EC-90E9-ECF4BB862DED}.dat.6.dr, ~DFB6CB56471D5D6D2D.TMP.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {800E2D64-5416-11EC-90E9-ECF4BB862DED}.dat.6.dr, ~DFB6CB56471D5D6D2D.TMP.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: auction[1].htm.8.dr	String found in binary or memory: https://dcdn.adnxs.com/shftr/https%253A%252F%252Fcrcdn01.adnxs-simple.com%252Fcreative%252Fp%252F128
Source: svchost.exe, 00000021.00000003.547703122.00000240D0B7E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.547763888.00000240D0B9A000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: auction[1].htm.8.dr	String found in binary or memory: https://fra1-ib.adnxs.com/click?nwN56a5Y4z977_KJeV3gPwAAAIAUrgdAIITEmQZ14j_8ag4QzNHlPwb1TKFuyZwOxcCm
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1638489221&rver=7.0.6730.0&am
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1638489222&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1638489221&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {800E2D64-5416-11EC-90E9-ECF4BB862DED}.dat.6.dr, ~DFB6CB56471D5D6D2D.TMP.6.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AARlHk9.img?h=368&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: svchost.exe, 00000021.00000003.547703122.00000240D0B7E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.547763888.00000240D0B9A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000021.00000003.547703122.00000240D0B7E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.547763888.00000240D0B9A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: imagestore.dat.8.dr	String found in binary or memory: https://www.google.com/favicon.ico~
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFB6CB56471D5D6D2D.TMP.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: {800E2D64-5416-11EC-90E9-ECF4BB862DED}.dat.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp#
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-2025-gibt-es-einarmige-banditen-und-roulette-in-der-lokstadt
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/altkleider-nur-noch-in-stadtz%c3%bcrcher-sammelstellen/ar-AARos
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-best%c3%a4tigt-ersten-omikron-fall-in-z%c3%bcrich/ar-AAR
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-verteidigt-finanzielle-beteiligung-am-kunstprojekt/ar-AA
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: svchost.exe, 00000021.00000003.549055492.00000240D0B7E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.549131452.00000240D0B8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&utm_
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/kochendes-wasser-auto/?utm_campaign=DECH-cardent&utm_sou
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc
Source: auction[1].htm.8.dr	String found in binary or memory: https://www.xandr.com/privacy/platform-privacy-policy

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.36185912451253604 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SVvSOBnCfHgsVssFNnj HTTP/1.1Cookie: MjsBkpgasSueby=Uoymy6lCLvL7UL1qtXUxfAH6Y4F87/M1pXzt4wFcQdUHqa7mNpcA6rB8BrroyLl53fWSaoNGm64bOCCWe3wD080muLOwCKicDach6TSpi5lwo37DAUoZS1tenl6j2FJWxwDieWtIYwHvfaNLrOwweq88d2ccy6oXSibHyr1WVgM5Vh/DnaT4ZDUAcnuScjhcZIdSQwttTz8NcPB6UeZjIR0AP/VOw3LRONXFN8/feqXngKomoPCtGrlIOrYzsvgB6A==Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.3:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.3:49864 version: TLS 1.2

System Summary:

Uses 32bit PE files

Source: cbDMa7lgYy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4324 -ip 4324

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Jbndar\nmzkhilenocia.rvs:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Jbndar\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001CFAA		1_2_1001CFAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002800		1_2_10002800
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000BC07		1_2_1000BC07
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001000D		1_2_1001000D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10020C0C		1_2_10020C0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10004A13		1_2_10004A13
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10016015		1_2_10016015
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000FE15		1_2_1000FE15
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000F217		1_2_1000F217
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002617		1_2_10002617
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001BE1F		1_2_1001BE1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000DC24		1_2_1000DC24
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10010C2F		1_2_10010C2F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10021033		1_2_10021033
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10007E3E		1_2_10007E3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10008650		1_2_10008650
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10005651		1_2_10005651
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001EC5A		1_2_1001EC5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10017679		1_2_10017679
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002C79		1_2_10002C79
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001B278		1_2_1001B278
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000C87E		1_2_1000C87E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001C47E		1_2_1001C47E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10013682		1_2_10013682
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001A288		1_2_1001A288
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000C29B		1_2_1000C29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001F0A7		1_2_1001F0A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10022EA4		1_2_10022EA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000A4AA		1_2_1000A4AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001D8AD		1_2_1001D8AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100202B3		1_2_100202B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10019EB5		1_2_10019EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10016ACA		1_2_10016ACA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100044D2		1_2_100044D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10010ED9		1_2_10010ED9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100108D9		1_2_100108D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001B6DB		1_2_1001B6DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000CADE		1_2_1000CADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001EE2		1_2_10001EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001E2E4		1_2_1001E2E4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100060E8		1_2_100060E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000D4EE		1_2_1000D4EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000D8F0		1_2_1000D8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000A6F7		1_2_1000A6F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100088FC		1_2_100088FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10011EFC		1_2_10011EFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10020701		1_2_10020701
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001F90C		1_2_1001F90C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001EB0F		1_2_1001EB0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001A712		1_2_1001A712
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002317		1_2_10002317
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001FB22		1_2_1001FB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10014F2A		1_2_10014F2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10007931		1_2_10007931
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10013B36		1_2_10013B36
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001713E		1_2_1001713E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000CD42		1_2_1000CD42
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10007549		1_2_10007549
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001514C		1_2_1001514C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000C551		1_2_1000C551
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001C962		1_2_1001C962
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000BD63		1_2_1000BD63
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000416C		1_2_1000416C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1002196C		1_2_1002196C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000E16F		1_2_1000E16F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001B70		1_2_10001B70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10008B74		1_2_10008B74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10012378		1_2_10012378
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001177E		1_2_1001177E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10020588		1_2_10020588
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001058C		1_2_1001058C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10021FA6		1_2_10021FA6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100093A7		1_2_100093A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10009DA8		1_2_10009DA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000A1AA		1_2_1000A1AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100231BA		1_2_100231BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100065BD		1_2_100065BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100227CB		1_2_100227CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100165CD		1_2_100165CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10008FCE		1_2_10008FCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000B9D5		1_2_1000B9D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000ADD9		1_2_1000ADD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100057E6		1_2_100057E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100179EC		1_2_100179EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10013FF3		1_2_10013FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000FBF7		1_2_1000FBF7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10017FFB		1_2_10017FFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000D1FD		1_2_1000D1FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7BEE70		3_2_6E7BEE70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7E3ED7		3_2_6E7E3ED7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7E3FF7		3_2_6E7E3FF7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7D2F91		3_2_6E7D2F91
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7C2D30		3_2_6E7C2D30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7CCDCD		3_2_6E7CCDCD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E769AD0		3_2_6E769AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7CCB9B		3_2_6E7CCB9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7C2800		3_2_6E7C2800
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7CC969		3_2_6E7CC969
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7DF599		3_2_6E7DF599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7C2580		3_2_6E7C2580
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7D2040		3_2_6E7D2040
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7CD02A		3_2_6E7CD02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7BEE70		4_2_6E7BEE70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7E3ED7		4_2_6E7E3ED7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7E3FF7		4_2_6E7E3FF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7D2F91		4_2_6E7D2F91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7C2D30		4_2_6E7C2D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7CCDCD		4_2_6E7CCDCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E769AD0		4_2_6E769AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7CCB9B		4_2_6E7CCB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7C2800		4_2_6E7C2800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7CC969		4_2_6E7CC969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7DF599		4_2_6E7DF599
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7C2580		4_2_6E7C2580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7D2040		4_2_6E7D2040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7CD02A		4_2_6E7CD02A

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6E75FEF0 appears 322 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6E7CEEBE appears 60 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6E7C74F0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E75FEF0 appears 322 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E7CEEBE appears 75 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E7C74F0 appears 38 times

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE file has an executable .text section and no other executable section

Source: cbDMa7lgYy.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\cbDMa7lgYy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cbDMa7lgYy.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cbDMa7lgYy.dll,_opj_codec_set_threads@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cbDMa7lgYy.dll,_opj_create_compress@4
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jbndar\nmzkhilenocia.rvs",ZBUBrnH
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4324 -ip 4324
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 276
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Jbndar\nmzkhilenocia.rvs",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\cbDMa7lgYy.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cbDMa7lgYy.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cbDMa7lgYy.dll,_opj_codec_set_threads@8			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cbDMa7lgYy.dll,_opj_create_compress@4			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jbndar\nmzkhilenocia.rvs",ZBUBrnH			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Jbndar\nmzkhilenocia.rvs",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4324 -ip 4324
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 276
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6A24A5A828D094D4.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal52.evad.winDLL@40/132@12/6

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",#1

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6200:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4324

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: cbDMa7lgYy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: cbDMa7lgYy.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: aXljr[lCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.427968095.00000000000E2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.416350295.0000000004591000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000176C push ebp; iretd		1_2_1000176D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7C6FA1 push ecx; ret		3_2_6E7C6F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7C6FA1 push ecx; ret		4_2_6E7C6F9F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E75DA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

3_2_6E75DA40

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\cbDMa7lgYy.dll

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Jbndar\nmzkhilenocia.rvs

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jbndar\nmzkhilenocia.rvs:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vuneactwtxur\pvae.wvo:Zone.Identifier read attributes | delete

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5664	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5632	Thread sleep time: -210000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries a list of all running processes

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001E.00000002.831065613.00000179FEA2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWm'
Source: svchost.exe, 0000001E.00000002.829947101.0000017984263000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000017.00000002.831858473.0000000004565000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.829862118.000001798424E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.576944217.00000240D0288000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.577190778.00000240D02EF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.20.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E7CAABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E7CAABA

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E75DA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

3_2_6E75DA40

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10011E59 mov eax, dword ptr fs:[00000030h]		1_2_10011E59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7CA991 mov eax, dword ptr fs:[00000030h]		3_2_6E7CA991
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7D40D3 mov eax, dword ptr fs:[00000030h]		3_2_6E7D40D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7D408F mov eax, dword ptr fs:[00000030h]		3_2_6E7D408F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7D4104 mov eax, dword ptr fs:[00000030h]		3_2_6E7D4104
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7CA991 mov eax, dword ptr fs:[00000030h]		4_2_6E7CA991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7D40D3 mov eax, dword ptr fs:[00000030h]		4_2_6E7D40D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7D408F mov eax, dword ptr fs:[00000030h]		4_2_6E7D408F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7D4104 mov eax, dword ptr fs:[00000030h]		4_2_6E7D4104

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10010E34 LdrInitializeThunk,

1_2_10010E34

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7CAABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E7CAABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7C624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6E7C624F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6E7C7375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E7C7375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7CAABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6E7CAABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7C624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6E7C624F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7C7375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6E7C7375

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cbDMa7lgYy.dll",#1			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4324 -ip 4324
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 276

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 00000017.00000002.831250102.0000000003010000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000017.00000002.831250102.0000000003010000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000017.00000002.831250102.0000000003010000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000017.00000002.831250102.0000000003010000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6E7E1EAD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,		3_2_6E7D4DE4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6E7E280E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		3_2_6E7D480E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6E7E2639
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		3_2_6E7E2235
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		3_2_6E7E214F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,		3_2_6E7E219A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		4_2_6E7E1EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6E7D4DE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		4_2_6E7E280E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E7D480E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		4_2_6E7E2639
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E7E2235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E7E214F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E7E219A

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E7C70CB cpuid

3_2_6E7C70CB

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6E7C729C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6E7C729C

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.20.dr, Amcache.hve.LOG1.20.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.20.dr, Amcache.hve.LOG1.20.dr	Binary or memory string: procexp.exe