Play interactive tour

Edit tour

Analysis Report laka4.dll

Overview

General Information

Sample Name:	laka4.dll
Analysis ID:	399641
MD5:	4f2aee8563f78102b67ea3f6d9b9166b
SHA1:	518888baf0266a9638d20fd04cb5727f864d3b39
SHA256:	fd35940bf6701f7d98b39196b19273c86c74757ca2c226cff607fa23df183e03
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Potential browser exploit detected (process start blacklist hit)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6880 cmdline: loaddll32.exe 'C:\Users\user\Desktop\laka4.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6912 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6932 cmdline: rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4684 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 6920 cmdline: regsvr32.exe /s C:\Users\user\Desktop\laka4.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 6964 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 660 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iexplore.exe (PID: 6952 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 7096 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6568 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4780 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5756 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1368 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6784 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6904 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x16bee:$s12: WScript.Shell 0x17a8d:$s12: wscript.shell
00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.loaddll32.exe.bda481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.2f4a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
24.3.rundll32.exe.311a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.regsvr32.exe.f4a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
8.3.rundll32.exe.2e1a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 24.3.rundll32.exe.311a481.0.raw.unpack

Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Source: laka4.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

Source:

Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_007D7DA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00F47DA3

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\conhost.exe

Jump to behavior

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source:	DNS query: silugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz

Source: Joe Sandbox View

IP Address: 104.20.185.68 104.20.185.68

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: de-ch[1].htm.10.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.10.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.10.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.10.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.10.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: ~DF350590C2B9D41CB2.TMP.5.dr, {8BC3AC88-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/BCk7mFxSRy/Qm0SzTs5dMXdNL8SU/P_2BkhEGcRW5/U9Vx3mh5hRK/dX0HNPUxJl8j6m/IQf
Source: {92BC32FA-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/JYNgnm_2BBHAequLwRjE0/wog2aPyjIrhfiChj/_2F7KNmTOp7gcHK/jNoiBVFK7FGrcvPg_
Source: ~DF29CFFC13F95711AB.TMP.5.dr, {7ECFB246-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/TFAutzbu/gCe3ncCBLMH7DreC61qLPHX/ngaLnwVCvh/xXteQjB63wWsF2t6A/Zz_2BRALS7
Source: ~DF6E75D50C571952C5.TMP.5.dr, {7ECFB244-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/Ypgl4JI_2FR/m0yEq7_2B7ljWe/BPm0RVhpDIfFWYr2d3BFy/aXhI5T_2B9mwNkry/hFC_2F
Source: imagestore.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/favicon.ico
Source: imagestore.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/favicon.ico~
Source: {9F800807-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/02XIlHxdbtKM8P3i3ca/47BqsC6_2FhAXQycTT8tDA/RUNfA0sZ_2BZr/1jh8HIyV/8yUbmY
Source: ~DFFCDBC08326237A5C.TMP.5.dr, {92BC32FC-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ByknSZ2tON9683wB1nz_2/FXwcC_2Ftu5SOLf_/2B2lhXejD0yHkC3/naPotBkzM8oI0dYk3
Source: {9F80080F-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr, ~DFBDDF96D7C9F8EE76.TMP.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/CW13K5mE2c3xbRAfZePcI/XEak48G8SmMzV00N/TmMgf_2FUC_2FO8/q1mZ7RFRjJFdb0E2U
Source: ~DFF281750E0F709160.TMP.5.dr, {8BC3AC80-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ISxtPb9NBDRdKdPIDnGulH/UHMvfd9n0X2gt/HgBUH102/d1m0OPwBZ0XynInWe6FU1aI/20
Source: ~DFC13F73B5108036FD.TMP.5.dr, {8BC3AC82-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ZSXFTmnkcje5EOH/umoJg5Byr3I9szhZzJ/RAjbLNU7_/2BKMDUk3G_2Bo_2FwnsZ/OrQwr5
Source: ~DF5B84FB0897B0685F.TMP.5.dr, {8BC3AC86-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/aOnuW4Kc8kOdYhrgG/HHSmkSFK_2Fd/FqiAyDyS_2B/Bifl3Bed0SdPBr/pMym6LPCFFnLXB
Source: rundll32.exe, 00000003.00000003.1009779943.0000000003034000.00000004.00000001.sdmp, ~DFB72C5D5D1A9C9D82.TMP.5.dr, {9F80080B-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/dFnfMK1xAnp5I7t/YmapWF7tOTYN7Dd_2B/6kHZ1aN0G/zjxUimz2MEw0rWfqLZLJ/gCkKKi
Source: {9F80080D-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/neoLoiiKtwHl6QdM4A/f0O2DxWQo/5EJl2Tz8iA7cOU69VgBA/IeUG6sell9ZjI6yQKow/fY
Source: ~DFD692E6FF3D6732D0.TMP.5.dr, {9F800811-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/qo_2FTJl/jnoEfVMzZHt3_2BMW0xDKGO/M1Kxv2lNpc/7gbEDrc_2F2egCapG/TuTROOPwVO
Source: {92BC32FE-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/t9KapG5Lp7Zt_2Fa57QG/GX7NNpbipoY4mmC8m9o/47gVROA6RCGhiLCLu_2F0K/y86ol3pt
Source: ~DF1901F2BDB9BBEDC1.TMP.5.dr, {9F800809-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/taR_2BUDt4igM2RX/qZ890U_2FvXmpm7/kLlTmzjbCaxzLI30UD/sG2rHuNAE/XyrX_2Fzhy
Source: {8BC3AC84-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/vUdO_2B4IZ3J_2Bd6F3sVbz/0bLr6U_2BT/ty33Mhp8Qlrf5CraM/knAI6s31dF0P/5ITH10
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24952290&epi=dech
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1619648989&rver
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1619648989&rver=7.0.6730.0&am
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1619648990&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1619648989&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1g9leV.img?h=368&amp
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/in-z%c3%bcrich-k%c3%b6nnen-sich-nun-auch-personen-
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/%c3%a4rger-%c3%bcber-auto-poser-klagen-%c3%bcber-f
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/alle-sagen-du-siehst-so-gut-aus-doch-der-long-covi
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/cyberkriminalit%c3%a4t-nimmt-zu-so-k%c3%b6nnen-sie
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/so-laut-wie-ein-presslufthammer-auto-poser-rauben-
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/st-galler-regierung-verteidigt-polizeieinsatz-in-r
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/urteil-mit-signalwirkung-unternehmer-erh%c3%a4lt-1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-sich-der-z%c3%bcrcher-kantonsrat-durch-seine-b
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eine-autoposer-fahrt-war-so-laut-wie-ein-presslufthammer/ar-BB1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/querulant-k%c3%a4mpft-erfolgreich-gegen-hausverbot/ar-BB1g5LzJ?
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report laka4.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud: