Loading ...

Play interactive tourEdit tour

Analysis Report BullGuard.dll

Overview

General Information

Sample Name:BullGuard.dll
Analysis ID:350094
MD5:50f46953002d9cdfe7077fbde3202499
SHA1:90b8cd8c898e72e2323658f7427753f57f0312e9
SHA256:f7522ebb3f0746e829a7ff61d83b8d956bf6700697208589c0282af453fb7732
Tags:isfb

Most interesting Screenshot:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Registers a DLL
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5304 cmdline: loaddll32.exe 'C:\Users\user\Desktop\BullGuard.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)
    • regsvr32.exe (PID: 5424 cmdline: regsvr32.exe /s C:\Users\user\Desktop\BullGuard.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • cmd.exe (PID: 5372 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 4088 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 4064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6408 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6332 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.292502307.0000000004B58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.292533289.0000000004B58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.292594538.0000000004B58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.292436878.0000000004B58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.292475476.0000000004B58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: BullGuard.dllAvira: detected
            Multi AV Scanner detection for domain / URLShow sources
            Source: atomproc.comVirustotal: Detection: 6%Perma Link
            Machine Learning detection for sampleShow sources
            Source: BullGuard.dllJoe Sandbox ML: detected
            Source: 1.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: BullGuard.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49750 version: TLS 1.2
            Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
            Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: global trafficHTTP traffic detected: GET /images/JzxKy3Mr/7ak2_2FubAL0hgQNPmIL9Va/iBHhrMaA9s/LFOuALm_2BYEsJqje/TWeUx7UxHQBk/dxhkmyU1OGD/tPF0uqxzJ3F79x/iQdmT_2FhJihBRwcGP1Mu/6YEk0ltV8eb_2FO5/gjDtVZ5sdMNO5Jj/AsfoMd2ZBtct_2BlKV/_2BobvRca/tfgd7MbRHv4D_2BgMXmg/H7rXCWrYeFk/y.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
            Source: de-ch[1].htm.4.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x08341512,0x01d6fe90</date><accdate>0x08341512,0x01d6fe90</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x08341512,0x01d6fe90</date><accdate>0x08341512,0x01d6fe90</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x08367765,0x01d6fe90</date><accdate>0x08367765,0x01d6fe90</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x08367765,0x01d6fe90</date><accdate>0x08367765,0x01d6fe90</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0838d9ca,0x01d6fe90</date><accdate>0x0838d9ca,0x01d6fe90</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0838d9ca,0x01d6fe90</date><accdate>0x0838d9ca,0x01d6fe90</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: de-ch[1].htm.4.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
            Source: de-ch[1].htm.4.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
            Source: unknownDNS traffic detected: queries for: www.msn.com
            Source: de-ch[1].htm.4.drString found in binary or memory: http://ogp.me/ns#
            Source: de-ch[1].htm.4.drString found in binary or memory: http://ogp.me/ns/fb#
            Source: auction[1].htm.4.drString found in binary or memory: http://popup.taboola.com/german
            Source: ~DF461BE834C20F1F8F.TMP.3.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
            Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
            Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/
            Source: de-ch[1].htm.4.drString found in binary or memory: https://amzn.to/2TTxhNg
            Source: auction[1].htm.4.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
            Source: de-ch[1].htm.4.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://client-s.gateway.messenger.live.com
            Source: de-ch[1].htm.4.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
            Source: de-ch[1].htm.4.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
            Source: ~DF461BE834C20F1F8F.TMP.3.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: de-ch[1].htm.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
            Source: de-ch[1].htm.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
            Source: de-ch[1].htm.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
            Source: ~DF461BE834C20F1F8F.TMP.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: ~DF461BE834C20F1F8F.TMP.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: de-ch[1].htm.4.drString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=5f11845dac990841e182d491&amp;bhid=60140a72c5b18a0414cccb9c&a
            Source: auction[1].htm.4.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: auction[1].htm.4.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: de-ch[1].htm.4.drString found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
            Source: de-ch[1].htm.4.drString found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg&quot;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1612807329&amp;rver
            Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1612807329&amp;rver=7.0.6730.0&am
            Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/logout.srf?ct=1612807330&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
            Source: de-ch[1].htm.4.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1612807329&amp;rver=7.0.6730.0&amp;w
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
            Source: de-ch[1].htm.4.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/#qt=mru
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
            Source: de-ch[1].htm.4.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com/about/en/download/
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com;Fotos
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
            Source: de-ch[1].htm.4.drString found in binary or memory: https://outlook.com/
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://outlook.live.com/calendar
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
            Source: de-ch[1].htm.4.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
            Source: ~DF461BE834C20F1F8F.TMP.3.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
            Source: de-ch[1].htm.4.drString found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&amp;campid=533862
            Source: de-ch[1].htm.4.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
            Source: de-ch[1].htm.4.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
            Source: de-ch[1].htm.4.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
            Source: imagestore.dat.4.dr, imagestore.dat.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1duLiL.img?h=368&amp
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
            Source: de-ch[1].htm.4.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://support.skype.com
            Source: de-ch[1].htm.4.drString found in binary or memory: https://twitter.com/
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://twitter.com/i/notifications;Ich
            Source: de-ch[1].htm.4.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
            Source: iab2Data[1].json.4.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/
            Source: ~DF461BE834C20F1F8F.TMP.3.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/alles-neu/ar-BB1dux42?ocid=hplocalnews
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/autoposertreffen-aufgel%c3%b6st-20-bussen-wegen-illegalen-party
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/in-albisrieden-w%c3%bctet-die-abrissbirne-die-wohnforscherin-sa
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/lernfahrer-17-fl%c3%bcchtet-mit-hohem-tempo-vor-polizei/ar-BB1d
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/massenansammlung-in-z%c3%bcrich-drei-menschen-t%c3%a4tlich-ange
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-l%c3%b6st-autoposer-treffen-am-z%c3%bcrcher-mythenquai-
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/rekordhohe-arbeitslosigkeit-im-gastgewerbe/ar-BB1dupXH?ocid=hpl
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/svp-fordert-kameras-in-innenstadt-wegen-gewalt/ar-BB1dsYch?ocid
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/teheran-sauerland-z%c3%bcrich/ar-BB1dtXXe?ocid=hplocalnews
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-lehrer-werden-um-die-papizeit-geprellt/ar-BB1duPlU
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.skype.com/
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.skype.com/de
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.skype.com/de/download-skype
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
            Source: de-ch[1].htm.4.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
            Source: iab2Data[1].json.4.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
            Source: iab2Data[1].json.4.drString found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
            Source: 85-0f8009-68ddb2ab[1].js.4.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49750 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.292502307.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292533289.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292594538.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292436878.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292475476.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.605279889.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292389441.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292584523.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292564606.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5424, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.292502307.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292533289.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292594538.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292436878.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292475476.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.605279889.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292389441.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292584523.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292564606.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5424, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_1000183B NtMapViewOfSection,1_2_1000183B
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_100014E8 NtCreateSection,memset,1_2_100014E8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_100022C5 NtQueryVirtualMemory,1_2_100022C5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_100020A41_2_100020A4
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: BullGuard.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: BullGuard.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal76.troj.winDLL@13/137@11/3
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4D14CF95BAA0867A.TMPJump to behavior
            Source: BullGuard.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BullGuard.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\BullGuard.dll
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17426 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17430 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\BullGuard.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17426 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4088 CREDAT:17430 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\BullGuard.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_10002093 push ecx; ret 1_2_100020A3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_10002040 push ecx; ret 1_2_10002049

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.292502307.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292533289.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292594538.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292436878.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292475476.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.605279889.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292389441.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292584523.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292564606.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5424, type: MEMORY
            Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6252Thread sleep count: 262 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6252Thread sleep time: -131000s >= -30000sJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
            Source: regsvr32.exe, 00000001.00000002.605118283.0000000003330000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000001.00000002.605118283.0000000003330000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000001.00000002.605118283.0000000003330000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000001.00000002.605118283.0000000003330000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_10001000
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_10001146 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_10001146

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.292502307.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292533289.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292594538.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292436878.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292475476.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.605279889.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292389441.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292584523.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292564606.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5424, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.292502307.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292533289.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292594538.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292436878.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292475476.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.605279889.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292389441.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292584523.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.292564606.0000000004B58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5424, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Information Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java