{"server": "12", "whoami": "user@061544hh", "dns": "061544", "version": "250177", "uptime": "279", "crc": "1", "id": "4355", "user": "ef15d01308f8d2d8cdc8873a46d8f622", "soft": "3"}
| Source: http://haloopolikosul.xyz/manifest/YcHhvzqnGV3dy_2/FvEnS_2F9p1dXR5ImF/Zp9nA6_2B/trDvtMc01BMk6W10nS4b/nBY6Ro9NIYZgB4PdSB2/i1mhjy8xHpcjAa_2BlE3Kc/q_2FYOvC1J7aP/FNI18_2F/AG7vxeQbhoSEjouJBbqlUsR/JPS1_2BPEm/2lxmo_2BYnZJRzpXG/9_2FrnCKa8_2/B0uAY1BCgPp/SFeeWzcA5y/lCN_2FD.cnx | Avira URL Cloud: Label: malware |
| Source: regsvr32.exe.6936.1.memstr | Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@061544hh", "dns": "061544", "version": "250177", "uptime": "279", "crc": "1", "id": "4355", "user": "ef15d01308f8d2d8cdc8873a46d8f622", "soft": "3"} |
| Source: 602b97e0b415b.png.dll | Virustotal: Detection: 10% | Perma Link |
| Source: 602b97e0b415b.png.dll | ReversingLabs: Detection: 12% |
| Source: 602b97e0b415b.png.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
| Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
| Source: unknown | HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.6:49730 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.6:49731 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.6:49741 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.6:49740 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.6:49743 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.6:49742 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.6:49744 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.6:49745 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.6:49786 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.6:49787 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.32:443 -> 192.168.2.6:49789 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.32:443 -> 192.168.2.6:49788 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49790 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 205.185.208.142:443 -> 192.168.2.6:49796 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49792 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49794 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 205.185.208.142:443 -> 192.168.2.6:49797 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49791 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49795 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49793 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 205.185.208.79:443 -> 192.168.2.6:49799 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 205.185.208.79:443 -> 192.168.2.6:49798 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 74.125.206.156:443 -> 192.168.2.6:49804 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 74.125.206.156:443 -> 192.168.2.6:49805 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 192.229.221.215:443 -> 192.168.2.6:49812 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 192.229.221.215:443 -> 192.168.2.6:49813 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.38:443 -> 192.168.2.6:49814 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.38:443 -> 192.168.2.6:49815 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 216.58.208.131:443 -> 192.168.2.6:49821 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 216.58.208.131:443 -> 192.168.2.6:49820 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.6:49826 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.6:49825 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.38:443 -> 192.168.2.6:49829 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 66.254.114.38:443 -> 192.168.2.6:49830 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 216.18.168.166:443 -> 192.168.2.6:49833 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 216.18.168.166:443 -> 192.168.2.6:49834 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49835 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 67.22.48.100:443 -> 192.168.2.6:49836 version: TLS 1.2 |
| Source: | Binary string: c:\EarlyBought\Weartoo\EspeciallyBeat\Mine.pdb source: regsvr32.exe, 00000001.00000002.684155912.000000006E20C000.00000002.00020000.sdmp, 602b97e0b415b.png.dll |
| Source: C:\Windows\SysWOW64\regsvr32.exe | Code function: 1_2_00817AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
| Source: Joe Sandbox View | IP Address: 74.125.206.156 74.125.206.156 |
| Source: Joe Sandbox View | IP Address: 66.254.114.38 66.254.114.38 |
| Source: Joe Sandbox View | IP Address: 66.254.114.32 66.254.114.32 |
| Source: Joe Sandbox View | IP Address: 216.58.208.131 216.58.208.131 |
| Source: Joe Sandbox View | JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c |
| Source: global traffic | HTTP traffic detected: GET /manifest/YcHhvzqnGV3dy_2/FvEnS_2F9p1dXR5ImF/Zp9nA6_2B/trDvtMc01BMk6W10nS4b/nBY6Ro9NIYZgB4PdSB2/i1mhjy8xHpcjAa_2BlE3Kc/q_2FYOvC1J7aP/FNI18_2F/AG7vxeQbhoSEjouJBbqlUsR/JPS1_2BPEm/2lxmo_2BYnZJRzpXG/9_2FrnCKa8_2/B0uAY1BCgPp/SFeeWzcA5y/lCN_2FD.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: haloopolikosul.xyzConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /manifest/6RdkLdcwvw_2FaqHQmLpM4K/xGxqXBd9cs/4qTL6qYc4ErNURqkt/XUq53JLMr1fD/RtNeBJnMakA/x3ecxxT0_2FZo4/viq_2FU3gJRlWwreK7Aro/xONAtX4tjMzUOqke/ZVsOFfFPnv3v7Yl/RAyVT9rsvo9A_2FB_2/BG4jenq1F/zEAUnyy5QmhMnaXqJirI/_2B75bS5kThvkB9AKZc/Wf0DyNgBKbqHX1zjWouA/W.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: trapolikoliosilios.xyzConnection: Keep-Alive |
| Source: de-ch[1].htm.4.dr | String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook) |
| Source: 3FSF6RAW.htm.31.dr | String found in binary or memory: href="http://www.twitter.com/RedTube" equals www.twitter.com (Twitter) |
| Source: 3FSF6RAW.htm.31.dr | String found in binary or memory: <a class="social-icon twitter" title="Twitter" href="http://www.twitter.com/RedTube" target="_blank" rel="nofollow"> equals www.twitter.com (Twitter) |
| Source: msapplication.xml0.3.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3233cd6f,0x01d704ca</date><accdate>0x3233cd6f,0x01d704ca</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
| Source: msapplication.xml0.3.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3233cd6f,0x01d704ca</date><accdate>0x3233cd6f,0x01d704ca</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
| Source: msapplication.xml5.3.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3238924f,0x01d704ca</date><accdate>0x3238924f,0x01d704ca</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
| Source: msapplication.xml5.3.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3238924f,0x01d704ca</date><accdate>0x3238924f,0x01d704ca</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
| Source: msapplication.xml7.3.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x323af49c,0x01d704ca</date><accdate>0x323af49c,0x01d704ca</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
| Source: msapplication.xml7.3.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x323af49c,0x01d704ca</date><accdate>0x323af49c,0x01d704ca</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
| Source: de-ch[1].htm.4.dr | String found in binary or memory: <img alt="" data-src="{"default":"//static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dJfsp.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=759&y=493"}" src="//static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif" title="Will Smith-Sadhguru-sarts-entertainment-aufm.jpg - Sadhguru auf a href"https://www.youtube.com/watch?vlL8sCf0qYHI" target"_blank"Youtube/a" /> <div> equals www.youtube.com (Youtube) |
| Source: de-ch[1].htm.4.dr | String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail) |
| Source: 85-0f8009-68ddb2ab[1].js.4.dr | String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter) |
| Source: de-ch[1].htm.4.dr | String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+" Ref 2: "+e.html(t.clientSettings.sid||"000000")+" Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, O |
Play interactive tour
Edit tour
