Loading ...

Play interactive tourEdit tour

Analysis Report laka4.dll

Overview

General Information

Sample Name:laka4.dll
Analysis ID:399641
MD5:4f2aee8563f78102b67ea3f6d9b9166b
SHA1:518888baf0266a9638d20fd04cb5727f864d3b39
SHA256:fd35940bf6701f7d98b39196b19273c86c74757ca2c226cff607fa23df183e03
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Yara detected Ursnif
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain checking for process token information
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Potential browser exploit detected (process start blacklist hit)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6880 cmdline: loaddll32.exe 'C:\Users\user\Desktop\laka4.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6912 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6932 cmdline: rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 4684 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 6920 cmdline: regsvr32.exe /s C:\Users\user\Desktop\laka4.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • cmd.exe (PID: 6964 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 660 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • iexplore.exe (PID: 6952 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 7096 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6568 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4780 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5756 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1368 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6784 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6904 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.loaddll32.exe.bda481.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.3.rundll32.exe.2f4a481.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                24.3.rundll32.exe.311a481.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.regsvr32.exe.f4a481.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    8.3.rundll32.exe.2e1a481.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 24.3.rundll32.exe.311a481.0.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]
                      Source: laka4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_007D7DA3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00F47DA3
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\conhost.exeJump to behavior

                      Networking:

                      barindex
                      Performs DNS queries to domains with low reputationShow sources
                      Source: DNS query: silugerude.xyz
                      Source: DNS query: silugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: silugerude.xyz
                      Source: DNS query: silugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: DNS query: vilugerude.xyz
                      Source: Joe Sandbox ViewIP Address: 104.20.185.68 104.20.185.68
                      Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
                      Source: de-ch[1].htm.10.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: de-ch[1].htm.10.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
                      Source: de-ch[1].htm.10.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: www.msn.com
                      Source: de-ch[1].htm.10.drString found in binary or memory: http://ogp.me/ns#
                      Source: de-ch[1].htm.10.drString found in binary or memory: http://ogp.me/ns/fb#
                      Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
                      Source: ~DF350590C2B9D41CB2.TMP.5.dr, {8BC3AC88-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://silugerude.xyz/palok/BCk7mFxSRy/Qm0SzTs5dMXdNL8SU/P_2BkhEGcRW5/U9Vx3mh5hRK/dX0HNPUxJl8j6m/IQf
                      Source: {92BC32FA-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://silugerude.xyz/palok/JYNgnm_2BBHAequLwRjE0/wog2aPyjIrhfiChj/_2F7KNmTOp7gcHK/jNoiBVFK7FGrcvPg_
                      Source: ~DF29CFFC13F95711AB.TMP.5.dr, {7ECFB246-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://silugerude.xyz/palok/TFAutzbu/gCe3ncCBLMH7DreC61qLPHX/ngaLnwVCvh/xXteQjB63wWsF2t6A/Zz_2BRALS7
                      Source: ~DF6E75D50C571952C5.TMP.5.dr, {7ECFB244-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://silugerude.xyz/palok/Ypgl4JI_2FR/m0yEq7_2B7ljWe/BPm0RVhpDIfFWYr2d3BFy/aXhI5T_2B9mwNkry/hFC_2F
                      Source: imagestore.dat.5.drString found in binary or memory: http://vilugerude.xyz/favicon.ico
                      Source: imagestore.dat.5.drString found in binary or memory: http://vilugerude.xyz/favicon.ico~
                      Source: {9F800807-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/02XIlHxdbtKM8P3i3ca/47BqsC6_2FhAXQycTT8tDA/RUNfA0sZ_2BZr/1jh8HIyV/8yUbmY
                      Source: ~DFFCDBC08326237A5C.TMP.5.dr, {92BC32FC-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/ByknSZ2tON9683wB1nz_2/FXwcC_2Ftu5SOLf_/2B2lhXejD0yHkC3/naPotBkzM8oI0dYk3
                      Source: {9F80080F-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr, ~DFBDDF96D7C9F8EE76.TMP.5.drString found in binary or memory: http://vilugerude.xyz/palok/CW13K5mE2c3xbRAfZePcI/XEak48G8SmMzV00N/TmMgf_2FUC_2FO8/q1mZ7RFRjJFdb0E2U
                      Source: ~DFF281750E0F709160.TMP.5.dr, {8BC3AC80-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/ISxtPb9NBDRdKdPIDnGulH/UHMvfd9n0X2gt/HgBUH102/d1m0OPwBZ0XynInWe6FU1aI/20
                      Source: ~DFC13F73B5108036FD.TMP.5.dr, {8BC3AC82-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/ZSXFTmnkcje5EOH/umoJg5Byr3I9szhZzJ/RAjbLNU7_/2BKMDUk3G_2Bo_2FwnsZ/OrQwr5
                      Source: ~DF5B84FB0897B0685F.TMP.5.dr, {8BC3AC86-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/aOnuW4Kc8kOdYhrgG/HHSmkSFK_2Fd/FqiAyDyS_2B/Bifl3Bed0SdPBr/pMym6LPCFFnLXB
                      Source: rundll32.exe, 00000003.00000003.1009779943.0000000003034000.00000004.00000001.sdmp, ~DFB72C5D5D1A9C9D82.TMP.5.dr, {9F80080B-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/dFnfMK1xAnp5I7t/YmapWF7tOTYN7Dd_2B/6kHZ1aN0G/zjxUimz2MEw0rWfqLZLJ/gCkKKi
                      Source: {9F80080D-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/neoLoiiKtwHl6QdM4A/f0O2DxWQo/5EJl2Tz8iA7cOU69VgBA/IeUG6sell9ZjI6yQKow/fY
                      Source: ~DFD692E6FF3D6732D0.TMP.5.dr, {9F800811-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/qo_2FTJl/jnoEfVMzZHt3_2BMW0xDKGO/M1Kxv2lNpc/7gbEDrc_2F2egCapG/TuTROOPwVO
                      Source: {92BC32FE-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/t9KapG5Lp7Zt_2Fa57QG/GX7NNpbipoY4mmC8m9o/47gVROA6RCGhiLCLu_2F0K/y86ol3pt
                      Source: ~DF1901F2BDB9BBEDC1.TMP.5.dr, {9F800809-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/taR_2BUDt4igM2RX/qZ890U_2FvXmpm7/kLlTmzjbCaxzLI30UD/sG2rHuNAE/XyrX_2Fzhy
                      Source: {8BC3AC84-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://vilugerude.xyz/palok/vUdO_2B4IZ3J_2Bd6F3sVbz/0bLr6U_2BT/ty33Mhp8Qlrf5CraM/knAI6s31dF0P/5ITH10
                      Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
                      Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://amzn.to/2TTxhNg
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://client-s.gateway.messenger.live.com
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24952290&amp;epi=dech
                      Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
                      Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1619648989&amp;rver
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1619648989&amp;rver=7.0.6730.0&am
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://login.live.com/logout.srf?ct=1619648990&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1619648989&amp;rver=7.0.6730.0&amp;w
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com/#qt=mru
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com/about/en/download/
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com;Fotos
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://outlook.com/
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://outlook.live.com/calendar
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
                      Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
                      Source: imagestore.dat.5.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1g9leV.img?h=368&amp
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://support.skype.com
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?&quot;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://twitter.com/
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://twitter.com/i/notifications;Ich
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
                      Source: iab2Data[1].json.10.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/
                      Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/in-z%c3%bcrich-k%c3%b6nnen-sich-nun-auch-personen-
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/%c3%a4rger-%c3%bcber-auto-poser-klagen-%c3%bcber-f
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/alle-sagen-du-siehst-so-gut-aus-doch-der-long-covi
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/cyberkriminalit%c3%a4t-nimmt-zu-so-k%c3%b6nnen-sie
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/so-laut-wie-ein-presslufthammer-auto-poser-rauben-
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/st-galler-regierung-verteidigt-polizeieinsatz-in-r
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/urteil-mit-signalwirkung-unternehmer-erh%c3%a4lt-1
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-sich-der-z%c3%bcrcher-kantonsrat-durch-seine-b
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/news/other/eine-autoposer-fahrt-war-so-laut-wie-ein-presslufthammer/ar-BB1
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com/de-ch/news/other/querulant-k%c3%a4mpft-erfolgreich-gegen-hausverbot/ar-BB1g5LzJ?
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.skype.com/
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://www.skype.com/de
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://www.skype.com/de/download-skype
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
                      Source: de-ch[1].htm.10.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
                      Source: iab2Data[1].json.10.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
                      Source: iab2Data[1].json.10.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
                      Source: 52-478955-68ddb2ab[1].js.10.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D5408 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_007D5408
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DB2E1 NtQueryVirtualMemory,0_2_007DB2E1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F45408 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_00F45408
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4B2E1 NtQueryVirtualMemory,2_2_00F4B2E1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DA0320_2_007DA032
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DB0BC0_2_007DB0BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D5B450_2_007D5B45
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D73DB0_2_007D73DB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4B0BC2_2_00F4B0BC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4A0322_2_00F4A032
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F473DB2_2_00F473DB
                      Source: laka4.dllBinary or memory string: OriginalFilenamesmile.dll@ vs laka4.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: laka4.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: 00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@77/155@26/1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D9E28 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,0_2_007D9E28
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3BB1EF43-A871-11EB-90EB-ECF4BBEA1588}.datJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC198BA407A93F7AA.TMPJump to behavior
                      Source: laka4.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\laka4.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,BrightnightJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: laka4.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll
                      Source: laka4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: laka4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: laka4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: laka4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: laka4.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: laka4.dllStatic PE information: real checksum: 0x93768 should be: 0x9718f
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DE41E push esp; ret 0_2_007DE420
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DACF0 push ecx; ret 0_2_007DACF9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DEAE5 push ds; retf 0_2_007DEAEB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DB0AB push ecx; ret 0_2_007DB0BB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DE163 push edx; iretd 0_2_007DE164
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DE919 pushfd ; ret 0_2_007DE91A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DE5D9 push eax; iretd 0_2_007DE5DA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4ACF0 push ecx; ret 2_2_00F4ACF9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4EAE5 push ds; retf 2_2_00F4EAEB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4B0AB push ecx; ret 2_2_00F4B0BB
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4E41E push esp; ret 2_2_00F4E420
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4E5D9 push eax; iretd 2_2_00F4E5DA
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4E163 push edx; iretd 2_2_00F4E164
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F4E919 pushfd ; ret 2_2_00F4E91A

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE
                      Hooks registry keys query functions (used to hide registry keys)Show sources
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
                      Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
                      Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6924Thread sleep count: 75 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 51 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 46 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 66 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 31 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 37 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416Thread sleep count: 149 > 30Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_007D7DA3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00F47DA3
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Program Files\internet explorer\iexplore.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)Show sources
                      Source: C:\Program Files\internet explorer\iexplore.exeThread register set: target process: 6528Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeThread register set: target process: 5064Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeThread register set: target process: 6708Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeThread register set: target process: 4172Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeThread register set: target process: 5584Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeThread register set: target process: 6972Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D3C3A cpuid 0_2_007D3C3A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D947A HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,0_2_007D947A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007D3C3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_007D3C3A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007DA499 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_007DA499

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection211Rootkit4Credential API Hooking3System Time Discovery1Remote ServicesCredential API Hooking3Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion11Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399641 Sample: laka4.dll Startdate: 29/04/2021 Architecture: WINDOWS Score: 100 66 vilugerude.xyz 2->66 68 silugerude.xyz 2->68 70 resolver1.opendns.com 2->70 78 Found malware configuration 2->78 80 Yara detected  Ursnif 2->80 82 Yara detected  Ursnif 2->82 84 5 other signatures 2->84 10 loaddll32.exe 1 2->10         started        signatures3 process4 signatures5 86 Writes or reads registry keys via WMI 10->86 88 Writes registry values via WMI 10->88 13 regsvr32.exe 10->13         started        16 iexplore.exe 1 127 10->16         started        18 cmd.exe 1 10->18         started        20 5 other processes 10->20 process6 signatures7 90 Writes or reads registry keys via WMI 13->90 92 Writes registry values via WMI 13->92 22 cmd.exe 1 13->22         started        24 cmd.exe 13->24         started        26 cmd.exe 13->26         started        94 Modifies the context of a thread in another process (thread injection) 16->94 96 Maps a DLL or memory area into another process 16->96 28 iexplore.exe 16->28         started        31 rundll32.exe 18->31         started        34 cmd.exe 20->34         started        36 cmd.exe 20->36         started        38 cmd.exe 20->38         started        40 3 other processes 20->40 process8 dnsIp9 42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        72 geolocation.onetrust.com 104.20.185.68, 443, 49750, 49751 CLOUDFLARENETUS United States 28->72 74 www.msn.com 28->74 76 6 other IPs or domains 28->76 98 Writes registry values via WMI 31->98 48 cmd.exe 1 31->48         started        56 2 other processes 31->56 50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        58 3 other processes 40->58 signatures10 process11 process12 60 conhost.exe 48->60         started        62 conhost.exe 56->62         started        64 conhost.exe 56->64         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.