Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OojqjHGE0W.exe

Overview

General Information

Sample Name:OojqjHGE0W.exe
Analysis ID:630152
MD5:4ed3fa33609a51baf209a5954bef6633
SHA1:aff82f0554f18c780561d6b8b1ca5a1001e42512
SHA256:988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
Tags:exesigned
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Snort IDS alert for network traffic
Writes to foreign memory regions
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found API chain indicative of debugger detection
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • OojqjHGE0W.exe (PID: 3408 cmdline: "C:\Users\user\Desktop\OojqjHGE0W.exe" MD5: 4ED3FA33609A51BAF209A5954BEF6633)
    • InstallUtil.exe (PID: 5584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup
{"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 7 entries
            SourceRuleDescriptionAuthorStrings
            10.2.InstallUtil.exe.1b694a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              10.2.InstallUtil.exe.1340000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                10.2.InstallUtil.exe.1b694a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  No Sigma rule has matched
                  Timestamp:192.168.2.352.169.118.17349702802033203 05/19/22-14:41:40.292996
                  SID:2033203
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.352.169.118.17349702802033204 05/19/22-14:41:40.292996
                  SID:2033204
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                  Source: OojqjHGE0W.exeReversingLabs: Detection: 46%
                  Source: OojqjHGE0W.exeJoe Sandbox ML: detected
                  Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.2.OojqjHGE0W.exe.8b5230.0.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 10.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.OojqjHGE0W.exe.2580000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.OojqjHGE0W.exe.8b5230.2.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.3.OojqjHGE0W.exe.2580000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: OojqjHGE0W.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: OojqjHGE0W.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdb source: OojqjHGE0W.exe
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP; source: OojqjHGE0W.exe, 00000000.00000000.267737292.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, OojqjHGE0W.exe, 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP;Q source: OojqjHGE0W.exe

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49702 -> 52.169.118.173:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49702 -> 52.169.118.173:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
                  Source: global trafficHTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="http://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="http://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="http://www.msn.com/de-ch/" /> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 79em)",size3column:"(min-width: 58.875em) and (max-width: 78.99em)",size2column:"(min-width: 43.75em) and (max-width: 58.865em)",size2rowsize4column:"(min-width: 79em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 58.865em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 79em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 58.865em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="http://www.msn.com/de-ch"/><meta property="og:url" content="http://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick{di
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns#
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                  Source: OojqjHGE0W.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: OojqjHGE0W.exeString found in binary or memory: http://s.symcd.com06
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.l
                  Source: InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/d7cb56b9-/direction=ltr.lo
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAXt9ve.img?h=368&amp;w
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&amp;anoncknm=%22%22&amp;name=%22M
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&amp
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/cps0%
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/rpa0
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: InstallUtil.exe, 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&a
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&a
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1652964100&amp;rver=7.0.6730.0&am
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srf?ct=1652964101&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1652964100&amp;rver=7.0.6730.0&amp;w
                  Source: InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com/
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/autofahrer-38-rast-mit-94-km-h-durch-30er-zone/ar-AAXsnwd?ocid=
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/fremdes-b%c3%bcsi-gef%c3%bcttert-frau-soll-1250-franken-strafe-
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/olivia-und-noah-sind-die-beliebtesten-baby-vornamen-in-z%c3%bcr
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.53529024