Windows Analysis Report SEMqjw.exe

Overview

General Information

Sample Name:	SEMqjw.exe
Analysis ID:	511809
MD5:	1eeced28416a157bb6c1915c75f01bd3
SHA1:	eb423477cacd23647bc3a5af5f7b86e64e41826a
SHA256:	b5070e72b3a0b2f30e8333b2bb37e3db553bba74d24869a302cf65d1af4c568f
Infos:
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected potential unwanted application

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

Allocates memory with a write watch (potentially for evading sandboxes)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Queries the installation date of Windows

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

IP address seen in connection with other malware

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: SEMqjw.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SEMqjw.exe	Metadefender: Detection: 28%			Perma Link
Source: SEMqjw.exe	ReversingLabs: Detection: 82%

Machine Learning detection for sample

Source: SEMqjw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: SEMqjw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: SEMqjw.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.6:49826 version: TLS 1.2

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.6358356914721921 HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lo/api/res/1.2/z3nJ.i0wJLUKE.PUO3hx1w--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1634277746662-1414.jpg HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.yimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehp&AR=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: btloader.comIf-None-Match: "643eb1aad6ba3932ca744b96ffc00048"Connection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.69.19 172.67.69.19
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: de-ch[1].htm.1.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: 0http://www.hotmail.msn.com/pii/ReadOutlookEmail/ equals www.hotmail.com (Hotmail)
Source: de-ch[1].htm.1.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.1.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com6 equals www.youtube.com (Youtube)
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com< equals www.youtube.com (Youtube)
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/msncht! equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: SEMqjw.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SEMqjw.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SEMqjw.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SEMqjw.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SEMqjw.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SEMqjw.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SEMqjw.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SEMqjw.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SEMqjw.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SEMqjw.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SEMqjw.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SEMqjw.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://docs.google.com/
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://drive.google.com/
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://drive.google.com/C
Source: SEMqjw.exe, 00000001.00000003.334347179.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: SEMqjw.exe, 00000001.00000003.339458621.0000000006EFC000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: SEMqjw.exe, 00000001.00000003.353670236.000000000775B000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.353638048.0000000007748000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.354457963.0000000007761000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: http://hblg.media.net/nerrping.php
Source: SEMqjw.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SEMqjw.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: SEMqjw.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: SEMqjw.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: de-ch[1].htm.1.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.1.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: SEMqjw.exe, 00000001.00000003.343779327.0000000006F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: SEMqjw.exe, 00000001.00000003.343779327.0000000006F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html_oFJ
Source: SEMqjw.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SEMqjw.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SEMqjw.exe, 00000001.00000003.347589300.0000000006F15000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SEMqjw.exe, 00000001.00000003.344693671.0000000006F06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com$
Source: SEMqjw.exe, 00000001.00000003.344693671.0000000006F06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com6
Source: SEMqjw.exe, 00000001.00000003.347589300.0000000006F15000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: SEMqjw.exe, 00000001.00000003.344693671.0000000006F06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: SEMqjw.exe, 00000001.00000003.347589300.0000000006F15000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comico
Source: SEMqjw.exe, 00000001.00000003.347589300.0000000006F15000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comma6
Source: SEMqjw.exe, 00000001.00000003.344693671.0000000006F06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: SEMqjw.exe, 00000001.00000003.344693671.0000000006F06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com~
Source: SEMqjw.exe, 00000001.00000003.340872419.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: SEMqjw.exe, 00000001.00000003.340872419.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: SEMqjw.exe, 00000001.00000003.345082684.0000000006F47000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SEMqjw.exe, 00000001.00000003.339687984.0000000006F0F000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krc6
Source: SEMqjw.exe, 00000001.00000003.339687984.0000000006F0F000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krnyTF
Source: SEMqjw.exe, 00000001.00000003.339687984.0000000006F0F000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krv
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: SEMqjw.exe, 00000001.00000003.343693589.0000000006F07000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SEMqjw.exe, 00000001.00000003.343693589.0000000006F07000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: SEMqjw.exe, 00000001.00000003.343500561.0000000006F06000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0C
Source: SEMqjw.exe, 00000001.00000003.343693589.0000000006F07000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: SEMqjw.exe, 00000001.00000003.343693589.0000000006F07000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SEMqjw.exe, 00000001.00000003.343693589.0000000006F07000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/$
Source: SEMqjw.exe, 00000001.00000003.343693589.0000000006F07000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: SEMqjw.exe, 00000001.00000003.334591376.0000000006F17000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.334822512.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SEMqjw.exe, 00000001.00000003.334752884.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comBibl
Source: SEMqjw.exe, 00000001.00000003.334623914.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comc
Source: SEMqjw.exe, 00000001.00000003.334591376.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comftw~
Source: SEMqjw.exe, 00000001.00000003.334752884.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comout
Source: SEMqjw.exe, 00000001.00000003.334752884.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comta
Source: SEMqjw.exe, 00000001.00000003.334875536.0000000006F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comut
Source: SEMqjw.exe, 00000001.00000003.338765915.0000000006F08000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.nete
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com6
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/qeqf5y
Source: auction[1].htm.1.dr	String found in binary or memory: https://ams1-ib.adnxs.com/click?9kVCW86l0j8oKWRyYFXQPwAAACCF6xdAKClkcmBV0D_2RUJbzqXSP33X_J72WVxKPFvI
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.327274295.000000000084C000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: auction[1].htm.1.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=7NOaYicGIS9mzf9WZ6UmQWmD_b1o38yjROgwgw_SraaThAdB
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://c21lg-a.media.net
Source: SEMqjw.exe, 00000001.00000003.412456929.00000000104F6000.00000004.00000001.sdmp	String found in binary or memory: https://c21lg-a.media.netBidswitch_Video_DV360
Source: SEMqjw.exe, 00000001.00000003.403597481.0000000011332000.00000004.00000001.sdmp	String found in binary or memory: https://c21lg-a.media.netbidNonStreamUrlWestOriginAPPLY_GOOGLE_RESTRICTIONhttps://contextual.media.n
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://c21lg-d.media.net/log?logid=kfk&evtid=cs&origin=1
Source: SEMqjw.exe, 00000001.00000003.403948838.0000000011319000.00000004.00000001.sdmp	String found in binary or memory: https://c21lg-d.media.net/log?logid=kfk&evtid=cs&origin=1https://lg3.media.net/flping.php?pid=8POU9I
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-gase1-xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-geuw1-xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-guse1-xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.404315489.00000000112C2000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-guse1-xch.media.net/AdExchange/rtbsspubhttps://cdneast2-xch.media.net/AdExchange/rtbsspu
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.1.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.1.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.1.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.1.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://cdneast2-xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://cdnwest-xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.327165050.0000000000817000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: SEMqjw.exe, 00000001.00000003.327165050.0000000000817000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24268818
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net
Source: SEMqjw.exe, 00000001.00000003.396254465.000000000774F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net&https=1&act=headerBid&prvReqId=237211076658808661635553328200&erTr=0&hl
Source: SEMqjw.exe, 00000001.00000003.381926841.000000000BC38000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.379865648.000000000BC38000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?
Source: SEMqjw.exe, 00000001.00000003.396254465.000000000774F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: SEMqjw.exe, 00000001.00000003.403827548.0000000011324000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?https://gusw2-xch.media.net/AdExchange/rtbsspubhttps://we
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/dtp.js?
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: SEMqjw.exe, 00000001.00000003.434427130.000000000FFE2000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://c
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/rtbsmpubs.php(
Source: SEMqjw.exe, 00000001.00000003.396254465.000000000774F000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/rtbsmpubs.php?&gdpr=0&gdprconsent=1&usp_enf=1&usp_status=0&cid=8HBI57XI
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/ssapi/bids
Source: SEMqjw.exe, 00000001.00000003.379878489.000000000BC3C000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.381937585.000000000BC3C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/ssapi/bidsBrightroll
Source: SEMqjw.exe, 00000001.00000003.401275370.0000000011349000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/ssapi/bidsENABLE_COOKIESYNC_FOR_SIGNATORIEShttps://lg3.media.net/rtblog
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/sse/bids(&
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/tc.js
Source: SEMqjw.exe, 00000001.00000003.401275370.0000000011349000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/tc.js_sCck_oxbGrp76st_orefpartnerdefault_l1HcSdlogUrls89LB79S0awlog203L
Source: SEMqjw.exe, 00000001.00000003.360310420.0000000010604000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.netlogid=kfk&evtid=agptslogFORCED_HIDE_BLOCKbidStreamUrlGcpEulogid=kfk&evti
Source: SEMqjw.exe, 00000001.00000003.399345658.0000000010604000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.netlogid=kfk&evtid=agptslogt.mnjs.stu.checkItemExistst.mnjs.stu.isObjectEmp
Source: auction[1].htm.1.dr	String found in binary or memory: https://dcdn.adnxs.com/shftr/https%253A%252F%252Fcrcdn01.adnxs-simple.com%252Fcreative%252Fp%252F116
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/U
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settings
Source: SEMqjw.exe, 00000001.00000003.327239535.0000000000821000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/x
Source: SEMqjw.exe, 00000001.00000003.381926841.000000000BC38000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://east2-xch.media.net/AdExchange/rtbsapub
Source: SEMqjw.exe, 00000001.00000003.381926841.000000000BC38000.00000004.00000001.sdmp	String found in binary or memory: https://east2-xch.media.net/AdExchange/rtbsspubhttps://west-xch.media.net/AdExchange/rtbsapub
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://east2-xch.media.net/AdExchange/rtbsspubty
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.327274295.000000000084C000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: SEMqjw.exe, 00000001.00000003.381789825.000000000C1C1000.00000004.00000001.sdmp, 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.1.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://gusw1-xch.media.net/AdExchange/rtbsspubD
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://gusw2-xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://hangouts.google.com/
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.net
Source: SEMqjw.exe, 00000001.00000003.353670236.000000000775B000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.353638048.0000000007748000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.354457963.0000000007761000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.net/nerrping.php
Source: SEMqjw.exe, 00000001.00000003.404430564.00000000112B5000.00000004.00000001.sdmp	String found in binary or memory: https://hblg.media.netlogid=kfk&evtid=avlogbidStreamUrlGcpEastplacement_type_idbidStreamUrlEastybnca
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://hbxlp.media.net
Source: SEMqjw.exe, 00000001.00000003.401275370.0000000011349000.00000004.00000001.sdmp	String found in binary or memory: https://hbxlp.media.netbidStreamUrlEastOrigininmemorybidstorageCLOSE_AD_PREFERENCEprefetchproviderse
Source: SEMqjw.exe, 00000001.00000003.399345658.0000000010604000.00000004.00000001.sdmp	String found in binary or memory: https://hbxlp.media.netbidStreamUrlEastOriginprovider-detailssspScriptResponseParsernativebidder-ada
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://hotmailproxy.betaplace.com/pm/v1.0/getheaders.aspx
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://hotmailproxy.msn.com/pm/v1.0/getheaders.aspx
Source: auction[1].htm.1.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=hBs99_IGIS8vLzqLytxDuhL3v83fV1o2.leaGr72sUYM
Source: SEMqjw.exe, 00000001.00000003.413034395.00000000104AE000.00000004.00000001.sdmp	String found in binary or memory: https://iurl-a.akamaihd.net/ybntag?medianet_bdata
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://iurl-a.akamaihd.net/ybntag?t.split
Source: SEMqjw.exe, 00000001.00000003.396240041.0000000007748000.00000004.00000001.sdmp, rtbsmpubs[1].js0.1.dr	String found in binary or memory: https://iurl.media.net/dfp/ybntag?&cid=8CU157172&crid=722878611&size=300x250&requrl=$
Source: rtbsmpubs[1].js.1.dr	String found in binary or memory: https://iurl.media.net/dfp/ybntag?&cid=8CU157172&crid=858412214&size=300x250&requrl=$
Source: SEMqjw.exe, 00000001.00000003.354395219.0000000007750000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.353700776.000000000F0D9000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.380010260.00000000077FF000.00000004.00000001.sdmp	String found in binary or memory: https://lg3-a.akamaihd.net/nerrping.php
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/bping.php?
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/bqi.php
Source: SEMqjw.exe, 00000001.00000003.403597481.0000000011332000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/bqi.phpTCF_NO_LEGITIMATE_INTERESTlogheterogeneousdispatcher
Source: SEMqjw.exe, 00000001.00000003.412456929.00000000104F6000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/bqi.phppC3JHgSCqY8UHihgrvGr0A==INTERSCROLLER_NON_MOBILE_UGDAPPLY_GOOGLE_RESTRI
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/flping.php?pid=8POU9IV3U&prid=8PRVV7640
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/log?logid=kfk&evtid=popup
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/nerrping.php
Source: SEMqjw.exe, 00000001.00000003.379878489.000000000BC3C000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.381937585.000000000BC3C000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/nerrping.phphttps://contextual.media.net/dtp.js?
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.net/rtblog.php
Source: SEMqjw.exe, 00000001.00000003.409760948.0000000010656000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.netP#h
Source: SEMqjw.exe, 00000001.00000003.401275370.0000000011349000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.netSTOP_SENDING_PIIbidStreamUrlGcpApaclogid=kfk&evtid=alsspServerScriptUrllogid=kf
Source: SEMqjw.exe, 00000001.00000003.360310420.0000000010604000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.netlogid=kfk&evtid=adxplacement_type_idresponseParserUtildefaultBidderSetting
Source: SEMqjw.exe, 00000001.00000003.399345658.0000000010604000.00000004.00000001.sdmp	String found in binary or memory: https://lg3.media.netlogid=kfk&evtid=adxplacement_type_idresponseParserUtildefaultBidderSetting000Xx
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1635521020&rver
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1635520899&rver=7.0.6730.0&am
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1635521020&rver=7.0.6730.0&am
Source: SEMqjw.exe, 00000001.00000003.387115854.000000000BBF1000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1635520899&rver=7.0.6730.0&wp=LBI&wreply=
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1635520900&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1635521021&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1635520899&rver=7.0.6730.0&w
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1635521020&rver=7.0.6730.0&w
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://navvy.media.net
Source: SEMqjw.exe, 00000001.00000003.360577666.00000000105C4000.00000004.00000001.sdmp	String found in binary or memory: https://navvy.media.netsspServerStreamUrlHIDE_MOBILE_OVERLAYlogid=kfk&evtid=wopscommon-rendering-hel
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: SEMqjw.exe, 00000001.00000003.380876915.000000000C087000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: SEMqjw.exe, 00000001.00000003.380876915.000000000C087000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://outlook.com/
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.live.com/mail/
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.1.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://redirect.viglink.com/?key=29045bc04c786d46d362906f803b13a2&u=https://ebay.com$i
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://redirect.viglink.com?key=29045bc04c786d46d362906f803b13a2&u=https://amazon.com
Source: SEMqjw.exe, 00000001.00000003.367112705.000000000BDA7000.00000004.00000001.sdmp	String found in binary or memory: https://s.mnet-ad.net
Source: SEMqjw.exe, 00000001.00000003.401275370.0000000011349000.00000004.00000001.sdmp	String found in binary or memory: https://s.mnet-ad.netproviderInfoCollectionbidStreamUrlGcpWest21635520908118561226testbidder-adapter
Source: auction[1].htm.1.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/z3nJ.i0wJLUKE.PUO3hx1w--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.1.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=d9125748a25347aeaba6c1d7a3e5ee7a&r=infopane&i=3&
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAPYODK.img?h=368&
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://twitter.com/
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: SEMqjw.exe, 00000001.00000003.387115854.000000000BBF1000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.1.dr, de-ch[1].htm0.1.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://west-xch.media.net/AdExchange/rtbsapub
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://west-xch.media.net/AdExchange/rtbsspub
Source: iab2Data[2].json.1.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp	String found in binary or memory: https://www.booking.com/index.nl.html?aid=1274296&Selected_currency=USD;lang=en;label=MSN-US-logo
Source: SEMqjw.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/GryJ&
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts_
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings1
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: SEMqjw.exe, 00000001.00000003.327211763.0000000000842000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraShkJ
Source: SEMqjw.exe, 00000001.00000003.327283982.0000000000854000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: SEMqjw.exe, 00000001.00000003.381124808.000000000C1AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&ar=1&item=deferred_page%3a1&ignorejs=webcore%2fmodu
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: SEMqjw.exe, 00000001.00000003.468808339.0000000010075000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphttps://www.msn.com/de-ch/?ocid=iehp
Source: SEMqjw.exe, 00000001.00000003.470599756.0000000010075000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphttps://www.msn.com/de-ch/?ocid=iehp)
Source: SEMqjw.exe, 00000001.00000003.470599756.0000000010075000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.469438948.0000000010075000.00000004.00000001.sdmp, SEMqjw.exe, 00000001.00000003.469867513.0000000010075000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehphttps://www.msn.com/de-ch/?ocid=iehphttps://www.msn.com/de-ch/?o
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm0.1.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: SEMqjw.exe, 00000001.00000003.469372887.000000001007E000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/https://www.msn.com/de-ch/https://www.msn.com/de-ch/
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/christoph-fischbach-r%c3%bcckt-in-den-kantonsrat-nach/ar-AAQ5vJ
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-fall-brian-und-die-grenzen-des-schweizer-strafvollzugs/ar-A
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-stadt-will-mehr-polizistinnen-und-polizisten/ar-AAQ5uyR?oci
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-booster-impfungen-im-kanton-z%c3%bcrich-ab-anfang-novembe
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/harte-pornografie-verschickt-mann-muss-schweiz-verlassen/ar-AAQ
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/nur-noch-einzelzimmer-in-den-beiden-unispital-neubauten/ar-AAQ3
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sie-will-den-z%c3%bcrcherinnen-und-z%c3%bcrchern-den-besten-hum
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sprayaktion-am-ber%c3%bchmtesten-kamin-z%c3%bcrichs/ar-AAQ2iU4?
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/staatsanw%c3%a4ltin-will-eine-verwahrung-mordfall-boppelsen-kom
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-bordellbetreiber-freigesprochen/ar-AAQ0WVF?ocid=hp
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.skype.com/
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://www.skype.com/de
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: SEMqjw.exe, 00000001.00000003.348026562.000000000BCDF000.00000004.00000001.sdmp, 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[2].json.1.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[2].json.1.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js0.1.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/finger-persoenlichkeit/?utm_campaign=DECH-Finger&utm_so
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u
Source: de-ch[1].htm.1.dr	String found in binary or memory: https://www.tippsundtricks.co/sonstiges/rollstuhl-treppe-knopf/?utm_campaign=DECH-wheelchair&utm
Source: auction[1].htm.1.dr	String found in binary or memory: https://www.xandr.com/privacy/platform-privacy-policy
Source: SEMqjw.exe, 00000001.00000003.381926841.000000000BC38000.00000004.00000001.sdmp	String found in binary or memory: https://xch.media.net/AdExchange/rtbsapubs
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://xch.media.net/AdExchange/rtbsapubs8
Source: SEMqjw.exe, 00000001.00000003.367282886.000000000BD7D000.00000004.00000001.sdmp	String found in binary or memory: https://xch.media.net/AdExchange/rtbsspub
Source: SEMqjw.exe, 00000001.00000003.361191426.0000000010515000.00000004.00000001.sdmp	String found in binary or memory: https://xch.media.net/AdExchange/rtbsspubhttps://gusw1-xch.media.net/AdExchange/rtbsspub

Source: unknown

DNS traffic detected: queries for: w.nanweng.cn

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.6358356914721921 HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lo/api/res/1.2/z3nJ.i0wJLUKE.PUO3hx1w--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1634277746662-1414.jpg HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.yimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: /Referer: https://www.msn.com/de-ch/?ocid=iehp&AR=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: btloader.comIf-None-Match: "643eb1aad6ba3932ca744b96ffc00048"Connection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.6:49826 version: TLS 1.2

System Summary:

Detected potential unwanted application

Source: SEMqjw.exe

PE Siganture Subject Chain: CN="Anhui Shabake Network Technology Co., Ltd.", OU=è¿è¥, O="Anhui Shabake Network Technology Co., Ltd.", L=Ma'anshan, S=Anhui, C=CN, SERIALNUMBER=91320804MA1MKN9Q0G, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Ma'anshan, OID.1.3.6.1.4.1.311.60.2.1.2=Anhui, OID.1.3.6.1.4.1.311.60.2.1.3=CN

Uses 32bit PE files

Source: SEMqjw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: SEMqjw.exe, 00000001.00000000.326352820.00000000005A2000.00000008.00020000.sdmp	Binary or memory string: OriginalFilenameSEMzf vs SEMqjw.exe
Source: SEMqjw.exe	Binary or memory string: OriginalFilenameSEMzf vs SEMqjw.exe

PE file contains strange resources

Source: SEMqjw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SEMqjw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Section loaded: icm32.dll	Jump to behavior

Source: SEMqjw.exe

Static PE information: Section: UPX1 ZLIB complexity 0.990924092409

Source: SEMqjw.exe	Metadefender: Detection: 28%
Source: SEMqjw.exe	ReversingLabs: Detection: 82%

Source: C:\Users\user\Desktop\SEMqjw.exe

File read: C:\Users\user\Desktop\SEMqjw.exe

Source: C:\Users\user\Desktop\SEMqjw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 4640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7050000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 71D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7970000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7AF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7B10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7B50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7B90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SEMqjw.exe	Memory allocated: 7BD0000 memory reserve \| memory write watch	Jump to behavior

Source: SEMqjw.exe, 00000001.00000003.364941452.000000001031B000.00000004.00000001.sdmp	Binary or memory string: mnetActmnetTdmnetCIDmnet_hvmnet_dn,
Source: SEMqjw.exe, 00000001.00000003.456684897.0000000010020000.00000004.00000001.sdmp	Binary or memory string: hideAttributionDivhideAttributionDivmnet-ad-preferenceload::AD_PREFERENCE

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.69.19	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
87.248.118.22	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
216.58.215.230	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
104.26.7.139	btloader.com	United States	13335	CLOUDFLARENETUS	false
104.20.184.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
47.102.38.15	w.nanweng.cn	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

Name	IP	Active
contextual.media.net	23.211.6.95	true
dart.l.doubleclick.net	216.58.215.230	true
hblg.media.net	23.211.6.95	true
w.nanweng.cn	47.102.38.15	true
lg3.media.net	23.211.6.95	true
btloader.com	104.26.7.139	true
geolocation.onetrust.com	104.20.184.68	true
edge.gycpi.b.yahoodns.net	87.248.118.22	true
ad-delivery.net	172.67.69.19	true
www.msn.com	unknown	unknown
ad.doubleclick.net	unknown	unknown
srtb.msn.com	unknown	unknown
s.yimg.com	unknown	unknown
web.vortex.data.msn.com	unknown	unknown
clientconfig.passport.net	unknown	unknown
cvision.media.net	unknown	unknown
dcdn.adnxs.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://s.yimg.com/lo/api/res/1.2/z3nJ.i0wJLUKE.PUO3hx1w--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1634277746662-1414.jpg	false		high
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high

ID:	511809
Product:	CloudBasic
Start time:	17:20:46
Start date:	29.10.2021
Sample:	SEMqjw.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1eeced28416a157bb6c1915c75f01bd3
SHA1:	eb423477cacd23647bc3a5af5f7b86e64e41826a
SHA256:	b5070e72b3a0b2f30e8333b2bb37e3db553bba74d24869a302cf65d1af4c568f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\roundinfo.ini	ASCII text, with CRLF line terminators	47C232714DB9EDEA9A53A01359816577	99A521E5180B88AF894672FD496F6F19A7A5F6CD	69716C01458C78989C24783B67A70704759A07C85A3DF429706C71FC42AFC713
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\EQAWN5DV\contextual.media[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\EQAWN5DV\www.msn[1].xml	ASCII text, with no line terminators	0B7E6FCF20CECE3F5899DD79D4F69EFC	D67ACF94B60C68B33B3C290FE2CD22A9EFFB8AF0	1E16603AD04CAA549B719585BB3F213A77B3E0E058771A7896D38777798A7A80
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\52-478955-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	60F0A61A7D41A83C882D8013072D46CC	8ECE4A278B5074FE9DDDC01798740D8C9E895E83	9F453B838BFF02D3B98E6F0BE4FEA285CE93D41D0829A18490A6F60974A2CAE5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\AAPYODK[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	713ED3463C87A7CA6E3FD4511574D8F9	28E32E41D28360A6150BDE52863DA78F29C6ED59	EE01FF6DFDFCB4C6640BA7686893BE3A1FE4366ACE67D5BBFA1AF8F794229D6B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1aXBV1[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	D858BE67BEA11BF5CEC1B2A6C1C1F395	6090B195BEF6AF1157654048EECEA81E2DCEC42A	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1cEP3G[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	24F1589A12D948B741C2E5A0C4F19C2A	DC9BB00C5D063F25216CDABB77F5F01EA9F88325	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1cG73h[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	D1495662336B0F1575134D32AF5D670A	EF841C80BB68056D4EF872C3815B33F147CA31A8	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1gPsLO[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	8125B95E3CA1DA5EB73C026BBA80FF27	7A866909003E41E63BE5E99D982F16F3F3EABF01	A4E95EBA47223149AD3B055114DE432C9231002D766AC1AAD437B59D9CA7829A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBih5H[1].png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	F79F56222F8B1B951A00A306C8AFA5C4	9FE78220A6811338E68FE7A2D65DC3B7FB5302BD	2EF60D23400424838CD3B53021CFD903AA330168BDCC0A2AACFC7185832C00A9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\a8a064[2].gif	GIF image data, version 89a, 28 x 28	3CC1C4952C8DC47B76BE62DC076CE3EB	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\checksync[1].htm	HTML document, ASCII text, with very long lines	5015CB2F36436FBD31DA601C411B75A3	556D4BFEA0AFDE9123575B8BF41BB9A96FFFB549	C2561AD28587CE88C5A351E2BEFF8811052FC38F05512D580DFA71BBE430B2B1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\checksync[2].htm	HTML document, ASCII text, with very long lines	5015CB2F36436FBD31DA601C411B75A3	556D4BFEA0AFDE9123575B8BF41BB9A96FFFB549	C2561AD28587CE88C5A351E2BEFF8811052FC38F05512D580DFA71BBE430B2B1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\e151e5[1].gif	GIF image data, version 89a, 1 x 1	F8614595FBA50D96389708A4135776E4	D456164972B508172CEE9D1CC06D1EA35CA15C21	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	394BE310FB9F5C45D10C1A4960C4B388	A0A159DEFE0FEB6AD8DEC3DD347BDA19946E4B1B	FD35DC37ED407C513C6D6EB4C6985CB8C3B577D2589A744A5DCCA878DC26F009
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\nrrV8478[1].js	ASCII text, with very long lines, with no line terminators	AFB146A2E4995375C3D1DC735A2209E6	BF75C7724ADB65ADA84E9E8D0CF6B71F92E67EB1	599B44D7016054B6EEC525539E2C20E18B14824CDD5A01970A99A375C123AAAF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\tag[1].js	ASCII text, with very long lines	DDFF3756F9EFD3A46CF3325875D813A1	05D238659959B28B786CCE43E9E55A728E69428E	E80C669818773959643790269ED9448F71BD45D27D61FAFD73BC44C0F40BAACD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\1634277746662-1414[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 150x150, segment length 16, baseline, precision 8, 622x368, frames 3	019C4E8E1E43845ADF8A3E821C73B996	B8F78A37EBA1B8C1F95691FBFCDAB19AA6FB65A4	AA980948110DC4A94945FA33A6D17BBD932FBBD225693E8FB3D1A93E355C2472
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\2d-0e97d4-185735b[1].css	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	761B3F378259A12BDCDB434564758254	E44E177CE1D4B1514A124200C8589129B215CF5D	71B92CE435FCA0EE9A4E5EA18E1EDFDFC2F819DF37FB592D70D7B6EC32D6BF09
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\627[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1200x627, frames 3	9057ED4B0D8BC1E3D6FD6DCB5CCB5D39	F43425475E4658E57AAB857BFCC1C1FC79F83B01	9CCCB6B7BD77517EB84D765E237DA38800E702C39EE54E547D42510718A4B53E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BBPfCZL[2].png	GIF image data, version 89a, 50 x 50	59DAB7927838DE6A39856EED1495701B	A80734C857BFF8FF159C1879A041C6EA2329A1FA	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BBX2afX[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	4AAAEC9CA6F651BE6C54B005E92EA928	7296EC91AC01A8C127CD5B032A26BBC0B64E1451	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\checksync[3].htm	HTML document, ASCII text, with very long lines	5015CB2F36436FBD31DA601C411B75A3	556D4BFEA0AFDE9123575B8BF41BB9A96FFFB549	C2561AD28587CE88C5A351E2BEFF8811052FC38F05512D580DFA71BBE430B2B1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\de-ch[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	408DDD452219F77E388108945DE7D0FE	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	488F43CB1509765E23D515358D471211	FACB27280FB3DB8EF3F4EE6D377FBE3B76D65C27	1B8D58BDD404D2D07B0FF809EBFA41B7579DFFDE98EBD9F6F3971C6413CD333E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\iab2Data[2].json	UTF-8 Unicode text, with very long lines, with no line terminators	D76FFE379391B1C7EE0773A842843B7E	772ED93B31A368AE8548D22E72DDE24BB6E3855C	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\jquery-2.1.1.min[2].js	ASCII text, with very long lines, with CRLF line terminators	9A094379D98C6458D480AD5A51C4AA27	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\navcancl[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	4BCFE9F8DB04948CDDB5E31FE6A7F984	42464C70FC16F3F361C2419751ACD57D51613CDF	BEE0439FCF31DE76D6E2D7FD377A24A34AC8763D5BF4114DA5E1663009E24228
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\rtbsmpubs[1].js	HTML document, ASCII text, with very long lines, with no line terminators	12F612D2D2C99035322A15FA5A29D2BD	D018A4D54E5579EAA4429C95C673CF2524830B53	50886E6E456C6FF90ACBA7DB6A32DCC5F1E2AB0B3B15D1D87F4D63B58BBF2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\17-361657-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\2d-0e97d4-185735b[1].css	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	761B3F378259A12BDCDB434564758254	E44E177CE1D4B1514A124200C8589129B215CF5D	71B92CE435FCA0EE9A4E5EA18E1EDFDFC2F819DF37FB592D70D7B6EC32D6BF09
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\438b6cb0-a592-4ebb-a44e-fa3f43b1be41[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	AE0540B7D08516A487C533F3EA298DD9	0374FCD7712DBD530AA6314C2E6EF6E52027EC20	11FAD098D49B6D6863FF3A49C2C94A7149B04D9224E6329C13E3346280C22709
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\55a804ab-e5c6-4b97-9319-86263d365d28[2].json	ASCII text, with very long lines, with no line terminators	8FCB3F61085635194CE5A73516DE39F9	4EF7BB8362EE512BD497C48C168085738EE010C3	CEC95B7811CBF927FD338529A08F6B1BBF12F5B78459D07D15DE92C60C12DD64
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\82a15848-8a9a-450a-b8af-e7cab8fe8d26[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	2786EE3207DF42D9EA8B4F8C1C791CED	97C9DEE9F16C1CA6E624EF1E6B225019E8F46BA8	04DACDE5508118F5BE89889105055C676378299861EBB32D38D3E184579BF879
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\cfdbd9[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	FE5E6684967766FF6A8AC57500502910	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	857E753B9FAE83CA611E1E9D6C5C7ECA	CC4F21E1907E8DE41BB4AFC16786AC6C607CD3FE	F5EC427AA62CC4EDB1CB40828C36FE05DC127A9B319A58CEC0E0692499EC3341
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors	4123CE1E1732F202F60292941FF1487D	9F12B11BDE582DAE37CE8C160537D919C561C464	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\medianet[1].htm	HTML document, ASCII text, with very long lines	DC6F86793187337E72A1A5A95A3C745C	FF62F04182811B244997EDDBDA428E70A54EFE8A	CFAC2D1EE8286D37ED2E2D90C6047F72E79AFCDC532DFF53257653287DF3B1E0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\medianet[2].htm	HTML document, ASCII text, with very long lines	69BBD52FDE752171804301F8333BB623	9758E19959F404E55FBA5FBA3608D3BCF5636913	249EAB5B00BD0179793BAE09B67A45600655F12482595285C04F18B79A1050B0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\otTCF-ie[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\px[1].gif	GIF image data, version 89a, 1 x 1	AD4B0F606E0F8465BC4C4C170B37E1A3	50B30FD5F87C85FE5CBA2635CB83316CA71250D7	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\17-361657-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\4996b9[1].woff	Web Open Font Format, TrueType, length 45633, version 1.0	A92232F513DC07C229DDFA3DE4979FBA	EB6E465AE947709D5215269076F99766B53AE3D1	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\52-478955-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	60F0A61A7D41A83C882D8013072D46CC	8ECE4A278B5074FE9DDDC01798740D8C9E895E83	9F453B838BFF02D3B98E6F0BE4FEA285CE93D41D0829A18490A6F60974A2CAE5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\auction[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	5907834310A3FC2E84473AED9591DA54	B4283C9EC31B3538E91D8B822ABEC54EEED5D885	A70BD90DF6C3CCE9A7DC49532AFD28474A070345E5CA8CC83FD1CD33C1742B84
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\checksync[2].htm	HTML document, ASCII text, with very long lines	628E31DADB7B4D48F4D4F66B8215312F	E9524559546544083EB850C66DC2617D3925B556	45BE9BF6468D90F25610BA835FE47DA70AEB31C6044023C69A7CED5924AB8F83
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	6C8153A3E5AF2D7B87F81A54A9136529	4E2A8DBC0DD04B5E835E60A72F963D1E5549B033	FF70D431905FD2AC22DCA450B1BA0120E13648EB122F7BECD14C96B36CE514D2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\location[1].js	ASCII text, with no line terminators	C4F67A4EFC37372559CD375AA74454A3	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otBannerSdk[1].js	ASCII text, with very long lines, with CRLF line terminators	2E5F92E8C8983AA13AA99F443965BB7D	D80209C734F458ABA811737C49E0A1EAF75F9BCA	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otFlat[1].json	ASCII text, with very long lines, with CRLF line terminators	A7049025D23AEC458F406F190D31D68C	450BC57E9C44FB45AD7DC826EB523E85B9E05944	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otPcCenter[1].json	ASCII text, with very long lines, with CRLF line terminators	8EC5B25A65A667DB4AC3872793B7ACD2	6B67117F21B0EF4B08FE81EF482B888396BBB805	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otSDKStub[1].js	ASCII text, with very long lines, with CRLF line terminators	82566994A83436F3BDD00843109068A7	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtbsmpubs[1].js	HTML document, ASCII text, with very long lines, with no line terminators	EB8599508A5B05AD8D8E0CCE567F9B0D	BB3FC5F083F79D24E7B625D6B8A603BACAF06548	A09F0BCED145F86B484A5FDB7F95DA79C3AEE89D3F67EF7553BA544F78CED08C
C:\Users\user\AppData\Local\Temp\~DF15D6617A413C302B.TMP	Composite Document File V2 Document, Cannot read section info	679672A5004E0AF50529F33DB5469699	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
C:\Users\user\AppData\Local\Temp\~DFCE2978FA1CCF84BD.TMP	Composite Document File V2 Document, Cannot read section info	679672A5004E0AF50529F33DB5469699	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
C:\Users\user\AppData\Roaming\GlobalMgr.db	ASCII text, with CRLF line terminators	DE99847E0C87EF4021E1216C7C1F8218	FDAEFB41CFF17A3AB6C6263C96FCF401215B552F	5B286D103AEB37283D4CD668B477109B96976F12E063DE5B2FA7A2F4CCA88907

Windows Analysis Report SEMqjw.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs